More .wmf Woes

Published: 2006-01-02
Last Updated: 2006-01-02 18:01:15 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
The WMF issue continues to spin.  Overnight we received a note from HD Moore at Metasploit:

We released a new version of the metasploit framework module  for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this "irresponsible" if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw. If anyone has any questions about why we are releasing these types of modules so early after the disclosure, feel free to drop me an email.

-HD

http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile

While many might disagree with what Moore and others are doing in the Metasploit project, be grateful that their efforts are "open" and available for both defenders and attackers to view.  If only the bad guys had the tools then the good guys would be left guessing on how this stuff works.  This reminds me of how bad we felt in the early 1990s when Satan was released.  We (the good guys) felt that they (the bad guys) had a tool that was "unfair" in that it allowed them to scan our networks looking for flaws.  Today of course no sysadmin worth his or her GIAC certification would run a network without scanning periodically for vulnerable systems.  So, if you haven't looked at the Metasploit project then today might be the day you should.  Think of it as a defender's best friend rather than an evil hacking tool.


Keywords:
0 comment(s)

Comments


Diary Archives