Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-01-06 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

It is all about the risk.

Published: 2006-01-06
Last Updated: 2006-01-06 20:57:58 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
In recent discussions with regards to the WMF vulnerability in Microsoft products there have been may different viewpoints. For example, about whether or not to apply the unofficial patch or wait for one from the vendor. Now it is a somewhat moot point, Microsoft has released their official patch, and it works. Email feedback on our diary posts from the time of the discovery to the time of the MS advisory have been very strongly either for or against some of the stances taken by individual handlers and the Internet Storm Center as a whole. They vary from a hearty thank you, to somewhat less than flattering.

In any case, what it comes down to is the risk to the individual or organization, and how that is managed. A home user may have no compunctions about going ahead and installing the unofficial patch. Or they may choose to wait for the officially sanctioned one, the ease of install and their level of computer knowledge will likely guide them. Corporate or Governmental organizations would have a completely different perspective. Installing a patch can be a major undertaking no matter the source, and their risk management practices would dictate how to proceed. Different organizations will have completely different approaches to determining their risk, and the appropriate actions to mitigate it. Acquiring, testing, and deploying either the official or unofficial patch (or other forms of mitigation) is a significant undertaking no matter the steps taken to arrive at the decision to do so. They may even choose to simply accept the risk and do nothing at all.

The Internet Storm Center is made up of a group of volunteers that have different backgrounds and perspectives on the overall risk of the WMF vulnerability, and the active exploitation seen. The group consensus was that the risk was high enough to warrant raising the Infocon level, and then testing and endorsing the unofficial patch. We are well aware that one size doesn't fit all. At the time it was the only mitigation technique that actually worked. Anti-virus, IDS/IPS do not give adequate protection against this attack and all of its vectors.

We collectively think Microsoft did the right thing in releasing the patch when they did, in advance of their regularly scheduled Tuesday. I think we can all agree that this is a serious issue, and that early patch release is a good thing.  

Many handlers worked long hours on this effort, as did Microsoft and others.

Cheers,
Adrien de Beaupré
ISC handler of the day.
Cinnabar Networks Inc.
http://www.cinnabar.ca
Keywords:
0 comment(s)

* Microsoft Patches Released

Published: 2006-01-06
Last Updated: 2006-01-06 19:25:45 UTC
by Marcus Sachs (Version: 4)
0 comment(s)
Many of you already know this if you receive advance notification from Microsoft.  For everybody else, see their announcement about an early release of the WMF patch.  The patch and details about it are available here.  If you have installed any of the earlier patches or workarounds, here is our recommendation for updating:

1.  Reboot your system to clear any vulnerable files from memory
2.  Download and apply the new patch
3.  Reboot
4.  Uninstall the unofficial patch, by using one of these methods:
a.  Add/Remove Programs on single systems.  Look for "Windows WMF Metafile Vulnerability HotFix"
b. or at a command prompt:
"C:\Program Files\WindowsMetafileFix\unins000.exe" /SILENT
c. or, if you used msi to install the patch on multiple machines you can uninstall it with this:
msiexec.exe /X{E1CDC5B0-7AFB-11DA-8CD6-0800200C9A66} /qn
5.  Re-register the .dll if you previously unregistered it (use the same command but without the "-u"):
regsvr32 %windir%\system32\shimgvw.dll
6.  Optionally, reboot one more time just for good measure (not required, but doesn't hurt)

We tested the patch, and it does block the attack just like the unofficial patch does.

If you experience any problems with the official patch, check support.microsoft.com and call the toll-free number listed for free assistance. Microsoft will not support the unofficial patch. As an alternative to the sequence shown above, you may want to uninstall the unofficial patch first. But make sure you keep shimgvw.dll unregistered until the official patch is applied. Either sequence works in our testing. Removing the unofficial patch later provides an extra layer of protection.

You can use our test image at http://sipr . net/test . wmf as a test to make sure you are not vulnerable. The test image will start the calculator if you are vulnerable.

I'd like to take this opportunity to thank all of our incident handlers for the endless hours of analysis over the past week.  Also, many thanks to the hundreds of readers who sent in analysis and observations.  Finally, thanks to the response team at Microsoft for issuing the patch today.  We all appreciate the extra internal effort it took to do this out of cycle.

Marcus  H. Sachs
Director, SANS Internet Storm Center

UPDATED News on the official WMF patch and DLL registration

  • If you installed the LEAKED Microsoft patch, make sure that you un-install it before installing the officially released patch. Windows Update will detect the presence of the leaked patch. Bad things may happen.

  • If you installed the un-official Ilfak patch, you can un-install it before or after the official Microsoft patch. The order doesn't matter, should work either way. Windows Update will apparently not detect the un-official patch.

  • If you un-registered the DLL (shimgvw.dll) you will need to re-register it in order to regain the functionality. The official Microsoft patch will NOT re-register the DLL for you. You will have to do it via the followng command:
                regsvr32 %windir%\\system32\\shimgvw.dll

  • ISC has pulled the un-official patch from our web site, if you download the text file that replaces it, it won't execute.






Keywords:
0 comment(s)
Diary Archives