Another day, another set of thoughts on the WMF exploit.

It seems that the world is waking up to the exploit now.  For the past few days I've felt that ti has mostly been a talking point among security folk but now that people are getting backing into the swing of work, it seems that the threat is gaining a wider audience.

There's also tons of information on the web about this now, although some I don't agree with.  For example, this from Jesper's Blog (via Scobleizer).

Therefore, blocking files based on extensions is useful, but not complete protection. To be fully protected you would need to block all the file types that can be used, which may include  EMF, GIF, JPG (and friends), Paint, PJPG, PNG, TIF, WMF, and possibly others as well.

No, to have any real protection at all, you'd have to block those image files.  On day 1 this would have been effective but as soon as it was discovered that after changing the extension the exploit was still good, most of the examples I have seen now use .GIF or .JPG extensions.  I also don't agree with Jesper's view on the unofficial patch:

Finally, there is an unofficial patch. Patch really is the right terminology for this. It patches (using basic rootkit technology) a system DLL to ignore calls to the vulnerable function. The patch is an executable and has to be run on each vulnerable system, meaning cost of implementation is potentially very high. According to SANS, it does stop the current exploits. Personally, I have not tested it, and I have no intention of using an unofficial patch at this time.

I think that this is more Microsoft employees treading the corporate line.  The list of reputable organizations and individuals recommending this patch is growing daily.

Larry Seltzer from eWeek has also been doing a lot of testing:

In a practical sense, only Windows XP and Windows Server 2003 (in all their service pack levels) are vulnerable to the WMF flaw.

This is because only Windows XP and Windows Server 2003 have a default association for WMF files.  Interesting how Microsoft added this default file association for an obsolete file type.

Expect to hear a LOT more about this story before it goes away.

Technorati Tags: WMF, exploit, Microsoft

This entry was posted on Tuesday, January 3rd, 2006 at 10:35 and is filed under Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.