Re: potential worm exploiting WMF [was: Ilfak's WMF patch v. Microsoft's solution]

[Matthew Murphy <mattmurphy () kc rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Gadi Evron wrote:
> Hi Matthew..
>
> Well, maybe a worm won't work best being sent via email, but try and
> look at what might work instead.. and the Bad Guys will surely find it.
>
> They already used sending via IM, sending URL's.. etc.
>
> If spam is any GIVE-AWAY, these tactics work.
>
> It is one of the oldest tricks in the book to infect people.. via web
> pages. No need for much innovation.

You're absolutely right that these kinds of tactics work.  I wasn't
meaning to discount the possibility that this could be used in some kind
of worm, as it most certainly could.

What I *am* trying to put to rest is the apocalyptic line that such a
worm would bring exceptional devastation.  Indeed, there would most
likely be a slight uptick in the number of infected systems from a WMF
worm as opposed to a worm that requires the user to extract a binary
from a password-protected zip and then willfully open it.

However, I think this kind of a worm would have less staying power.
Whereas a standard .EXE worm relies on exploiting user stupidity, the
potential victim pool for a WMF worm will dry up quickly after patches
come out.  Once we are 30 days or so post-patch, those who would be
snared by a WMF worm will be patched.  The folks who aren't patched by
then are going to be the same ones who keep opening every
Bagle/Sober/etc. variant under the sun and seem absolutely determined to
infect themselves with any malware they can get their hands (or their
mice) on.

The problem is what happens in the interim.  The only time I see a WMF
worm being "successful" long-term is as a conduit to other malware.  If
systems of users who would otherwise *not* fall victim to e-mail worms
are infected by a WMF virus, and that virus is used to deploy *OTHER*
malware, we could be looking at a rise (at least in the short term) in
the number of compromised systems.

Even so, the chance of the "mother-of-worms" is pretty slim.  There are
other formats (JPEG, GIF, etc.) that almost every application utilizes
that will probably have holes as well.  Those are truly ubiquitous
formats... most apps will render them and a user won't even blink.  If
the workarounds are this *CRAPPY* (with Ilfak's software being the
exception) when *those* types of holes appear... we could really be in
for trouble.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDuktMfp4vUrVETTgRAxaYAJ4vIJYBfboqM9kbWNgMaMqOeI2IAwCghKqN
/8zkzT2Q7SxqaSQ1VewdKmM=
=Yd6+
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.