Educause Security Discussion mailing list archives
Re: Jan 10 is the Microsoft stated release date for a WMF page -- was : what is your advice to your users
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 3 Jan 2006 15:11:09 -0500
jack suess wrote:
Within the Security Task Force we have been in communication with Microsoft staff related to the WMF exposure. I wanted to pass this on to the community so you have the same information we do in making a decision on this. Microsoft doesn't recommend installing a third party patch for this and is expecting to release a "tested" patch on January 10th through Windows Update Service. Microsoft is working with various CERT's to stay on top of what is happening "in the field" and would consider moving up the release if the risks changed.
How about making the proposed Microsoft patch available on a downloads page as a "beta" with appropriate caveats and click agreements so IT departments can do some of our own testing and familiarize themselves with it in case of an event that requires a quick reaction.
Presently, the impact is limited
The problem is that while there may be limited activity exploiting the defect now, that could change an hour from now. A well socially engineered attack could render a large number of desktops compromised and/or unfunctional. All it would take is a few well placed initial seeds. The old Aplore worm from years ago had each infected system act as a web server for the next system so web servers holding malicious code couldn't be shut down. Port 80 isn't going to be closed and .jpg files aren't going to be filtered except in a case of a huge meltdown. In any case, its not so much the widely publicized worm I'm worried about. Its the quiet compromise of our infrastructure as critical desktops are compromised. The loss of control over a single computer, a single account, or a single identity cannot be discounted or tolerated simply because it happens so often. and there are mitigations in place through updated anti-virus
signatures
My understanding is that the exploits that *have been found in the wild* are detected by current AV definitions. OTOH, if others are not being detected, how would we know? There are published toolkits that purportedly make AV/IDS avoidance fairly easy. The initial exploits carried backdoors already known to AV companies and allegedly used them only for spyware installation. Will other criminals be as dumb? so the focus at Microsoft is fully testing this patch. Let us help. People are already testing the unofficial patch and other workarounds. Let us do something more productive with a future.
I talked with our security contact about the timing of this and her answers were thoughtful and consistent with what I've seen from other vendors. The concerns that Microsoft has are these. 1. A bad patch that introduces OS instability can cause an organization more damage that the WMF exposure. Microsoft feels it is essential to regression test any patch they provide. Bad experiences with automated update will cause people to stop using this service and that will do tremendous harm.
I agree. Put it up for individual download with caveats surrounding it.
2. 3rd party patches can't be tested by microsoft and may change the code base to mean that official patches do not get loaded. This can be more problematic down the line than the added benefit gotten from the 3rd party patch. Alternately, you must work to uninstall the patch before January 10th.
Any beta patch would only be used by IT staff to test with in a corporate setting. If they decided to deploy early and there were problems, the decision and outcome would be their responsibility. That said, if we found that 30% of our desktops get infected overnight, I'd like to have *any* patch in hand before our 15,000 students return this weekend...two days before the tentative release schedule. If past experience is any guide, a fair number of them will have spyware on them or other nasties that may autoupdate through WMF exploitation.
As I look at this I think Microsoft is taking a reasonable approach that is trying to balance the risk of not patching versus system instability in a problem patch. Clearly, this is a serious issue but to date we have not seen this flaw being exploited at our campus.
I've seen a few computers hitting Ukraninan web sites hosting what appear to be .wmv exploits but don't know why yet. At least one was redirected from what appears to be a domestic retailer. They're being blocked by our IPS. Activity was seen to several sites in the following Ukrainian netblock: http://www.ripe.net/perl/whois?form_type=simple&full_query_string=&searchtext=85.255.114.163&do_search=Search
Institutions need to take a similar approach based on risk management to decide what they should do. Questions to ask are these? What is the likelihood that critical servers would be impacted by this flaw?
If all the desktops are infected, the servers will be unavailable, or perhaps worse, available to the wrong persons.
Are other mitigations possible (such as awareness or dropping priviledge levels for IE).
I agree 100% but that is the type of solution that should be rolled out with planning even more than a patch.
What is the likelihood that your users have up-to-date AV and that will mitigate this?
There is the big question. Who can answer it? The latest news is that there are tools to make exploits undetectable by AV. Can anyone confirm or deny this? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Re: Jan 10 is the Microsoft stated release date for a WMF page -- was : what is your advice to your users Steve Worona (Jan 03)
- <Possible follow-ups>
- Re: Jan 10 is the Microsoft stated release date for a WMF page -- was : what is your advice to your users jack suess (Jan 03)
- Re: Jan 10 is the Microsoft stated release date for a WMF page -- was : what is your advice to your users Brawner, David (Jan 03)
- Re: Jan 10 is the Microsoft stated release date for a WMF page -- was : what is your advice to your users Gary Flynn (Jan 03)