Re: Example of WMF Exploit SPAM Targetting Schools?

[David Gillett <gillettdavid () FHDA EDU>]

  I recall that, a few years back, it was common for Microsoft
to downplay IE bugs with this "must get user to visit a
suspicious site" argument.
  And then some hacker crew broke into a hosting company and
defaced 500+ legit websites, adding code that exploited some
of those vulnerabilities.

  The notion that users can have any real idea, a priori, about
the actual safety of any site is just false.

  [On average, I'd agree that some sites are *more likely* than
others to be booby-trapped, and that factor may have its place
in the policy and "user education" sides of security management.
But I don't think it's really useful in assessing the severity
of a vulnerability.]

David Gillett


> -----Original Message-----
> From: Russell Fulton [mailto:r.fulton () AUCKLAND AC NZ]
> Sent: Monday, January 09, 2006 10:44 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Example of WMF Exploit SPAM
> Targetting Schools?
>
> Gary Flynn wrote:
> >          Mitigating Factors for Graphics Rendering Engine
> Vulnerability
> >          - CVE-2005-4560:
> >
> > "In all cases, however, an attacker would have no way to
> force users
> > to visit these Web sites. Instead, an attacker would have
> to persuade
> > users to visit the Web site, typically by getting them to
> click a link
> > in an e-mail or Instant Messenger request that takes users to the
> > attacker's Web site."
> >
> > Not much of a mitigating factor in my mind. Any half way
> decent social
> > engineering attack would be better than 80% effective
> unless everyone
> > was being told "don't click anything because your
> computer's security
> > has been completely compromised by a safety defect" or some other
> > equally politically difficult drastic measures were in place.
> You don't even need that.  At the beginning of the attack I
> set up argus to record the first 100 characters of each
> outbound session on port 80 and then examined the urls that
> whose downloads triggered my snort rules.
>
> The most persistent source addresses were in 85.255.112-119.
> These addresses will be well known to anyone who has looked
> at the source of spyware recently.  The addresses are
> registered to a hosting company based in the Ukraine but
> traceroute suggest they are being used in the US (at least
> the immediate upstream is a major US ISP).
>
> All the url seem to be referred from porn sites.  It is not
> clear if these sites have been compromised to redirect
> suckers to the malicious web sites or if they are willing
> participants in this scam.
>
> All the active addresses were supplied to MS via ISC but MS
> failed to get them shut down.  Hmmm....
>
> It is misleading of MS to suggest that this requires user
> action when in fact all that is required is that the victim
> visit a malicious web site which may be hosting other
> 'legitimate' material.
>
> Moral:  don't use windows to view porn :)
>
> Russell