Re: Jan 10 is the Microsoft stated release date for a WMF page -- was : what is your advice to your users

[Gary Flynn <flynngn () JMU EDU>]

jack suess wrote:

> Within the Security Task Force we have been in communication with
> Microsoft staff related to the WMF exposure. I wanted to pass this on
> to the community so you have the same information we do in making a
> decision on this.
>
> Microsoft doesn't recommend installing a third party patch for this  and
> is expecting to release a "tested" patch on January 10th through
> Windows Update Service. Microsoft is working with various CERT's to
> stay on top of what is happening "in the field" and would consider
> moving up the release if the risks changed.

How about making the proposed Microsoft patch available on a
downloads page as a "beta" with appropriate caveats and click
agreements so IT departments can do some of our own testing
and familiarize themselves with it in case of an event that
requires a quick reaction.

> Presently, the impact is
> limited

The problem is that while there may be limited activity exploiting
the defect now, that could change an hour from now. A well socially
engineered attack could render a large number of desktops compromised
and/or unfunctional. All it would take is a few well placed initial
seeds. The old Aplore worm from years ago had each infected system
act as a web server for the next system so web servers holding
malicious code couldn't be shut down. Port 80 isn't going to be
closed and .jpg files aren't going to be filtered except in a case
of a huge meltdown.

In any case, its not so much the widely publicized worm I'm worried
about. Its the quiet compromise of our infrastructure as critical
desktops are compromised.

The loss of control over a single computer, a single account,
or a single identity cannot be discounted or tolerated simply
because it happens so often.


 and there are mitigations in place through updated anti-virus
> signatures

My understanding is that the exploits that *have been found
in the wild* are detected by current AV definitions. OTOH,
if others are not being detected, how would we know? There
are published toolkits that purportedly make AV/IDS avoidance
fairly easy. The initial exploits carried backdoors already
known to AV companies and allegedly used them only for
spyware installation. Will other criminals be as dumb?

 so the focus at Microsoft is fully testing this patch.

Let us help. People are already testing the unofficial patch
and other workarounds. Let us do something more productive
with a future.

> I talked with our security contact about the timing of this and her
> answers were thoughtful and consistent with what I've seen from other
> vendors. The concerns that Microsoft has are these.
>
> 1. A bad patch that introduces OS instability can cause an  organization
> more damage that the WMF exposure. Microsoft feels it is  essential to
> regression test any patch they provide. Bad experiences  with automated
> update will cause people to stop using this service  and that will do
> tremendous harm.

I agree. Put it up for individual download with caveats surrounding
it.

> 2. 3rd party patches can't be tested by microsoft and may change the
> code base to mean that official patches do not get loaded. This can  be
> more problematic down the line than the added benefit gotten from  the
> 3rd party patch. Alternately, you must work to uninstall the  patch
> before January 10th.

Any beta patch would only be used by IT staff to test with
in a corporate setting. If they decided to deploy early and
there were problems, the decision and outcome would be their
responsibility. That said, if we found that 30% of our
desktops get infected overnight, I'd like to have *any* patch
in hand before our 15,000 students return this weekend...two
days before the tentative release schedule. If past experience
is any guide, a fair number of them will have spyware on them
or other nasties that may autoupdate through WMF exploitation.


> As I look at this I think Microsoft is taking a reasonable approach
> that is trying to balance the risk of not patching versus system
> instability in a problem patch. Clearly, this is a serious issue but  to
> date we have not seen this flaw being exploited at our campus.

I've seen a few computers hitting Ukraninan web sites hosting
what appear to be .wmv exploits but don't know why yet. At
least one was redirected from what appears to be a domestic
retailer. They're being blocked by our IPS. Activity was seen
to several sites in the following Ukrainian netblock:

http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searchtext=85.255.114.163&do_search=Search

> Institutions need to take a similar approach based on risk management
> to decide what they should do. Questions to ask are these?
>
> What is the likelihood that critical servers would be impacted by  this
> flaw?

If all the desktops are infected, the servers will be unavailable,
or perhaps worse, available to the wrong persons.

> Are other mitigations possible (such as awareness or  dropping
> priviledge levels for IE).

I agree 100% but that is the type of solution that should be
rolled out with planning even more than a patch.

> What is the likelihood that your users have up-to-date AV and that  will
> mitigate this?

There is the big question. Who can answer it? The latest news
is that there are tools to make exploits undetectable by AV.
Can anyone confirm or deny this?

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security