Re: Detecting new Windows .jpeg exploit

[Miles Stevenson <miles () mstevenson org>]

<snip>
> What I'd like to know is how we can scan a fairly large network for
> vulnerable machines.  Microsoft provided a tool to detect if your own
> computer needs to be patched, but running this on potentially thousands of
> systems isn't really an option.  Is there any way known at this time to
> detect if a computer is vulnerable?
</snip>

Unfortunately, the number of applications that rely on these image-handling 
libraries make this a pretty tricky one to deal with. My recommendation is to 
try and make sure all of your systems have XP SP2 installed first.

From there, you are going to have to identify the other applications and patch 
as necessary. This is going to take some time. So pay special attention to 
what is coming in through your mail servers, FTP transfers, and HTTP sessions 
for the users you are supporting. As controlling end-user surfing habits is 
not feasible for most sites, HTTP filtering probably isn't going to be a 
valid option. Just keep as much junk out of your mail server as possible. You 
may even want to consider switching users from IE to another browser, but 
since you can't get rid of IE, I wouldn't trust that. Patch patch patch. 

I'd be willing to bet that we are going to see a new worm variant exploiting 
this within the next month or two at the latest (we are possibly days away?). 
This is just too sweet an injection vector to be ignored by the blackhats.  
-- 
Miles Stevenson
miles () mstevenson org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63

Attachment: _bin
Description: