At the end of the day I finally recieved a notice from US-CERT (http://www.us-cert.gov/cas/techalerts/TA05-362A.html)
Not all anti-virus software products are currently able to detect all known variants of exploits for this vulnerability. However, US-CERT recommends updating anti-virus signatures as frequently as practical to provide maximum protection as new variants appear.
US-CERT is tracking this issue as VU#181038. This reference number corresponds to CVE entry CVE-2005-4560.
Got that? This is VU#181038, filed under CVE-2005-4560 and available online as TA05-362A. Roger that.
Anyway, they supported the recommendations by F-secure and Sunbelt:
Do not access Windows Metafiles from untrusted sources
Block access to Windows Metafiles at network perimeters
Reset the program association for Windows Metafiles
I had a brief discussion today with some admins and told them I disagree with the latter recommendation. No one seemed to object, perhaps because it would be such a royal pain to implement thoroughly and it might not even be effective, but who knows at this point. So we’ve rolled out the top two (plus HTTP and SMTP filtering) and are observing traffic.
I posted some of the same info over on Bruce’s blog…
Latest report is that the exploit installs if you even download or index an infected WMF file. In other words if you use Google Desktop, which automagically touches your media files, then your system will be trojaned faster than you can say “how convenient”. No known patches are available.
F-secure, as usual, is ahead of the game with a new signature that detects the three variations already in the wild. They also have a pointer to Sunbelt who has a link to BugTraq.
Sparse information so far, but the early responders seem pretty concerned and recommending that WMF be filtered and/or all traffic be blocked to the following sites:
This seems far more serious than a Saudi teen winning a secular talent competition, so let’s hope someone higher-up issues the appropriate fatwa and/or is able to shutdown or block traffic at the carrier level.
Reuters said on Monday that a second telecom company in Saudi Arabia will block SMS messages intended as votes for a TV show:
Saudi religious scholars last May condemned the hugely popular talent show aired by Lebanese channel LBC as a crime against Islam when a young Saudi returned to a hero’s welcome after winning in the Lebanese capital Beirut.
The Saudi Telecommunications Co. (STC) made an announcement last January that it would block the messages, based on a religious decision made the prior year. The only other cell company in the country, a UAE-based consortium called Mobily (Etihad Etisalat), is finally following suit:
“We will definitely lose money, but how much, I don’t know,” [Mobily spokesman] Alghodaini said about the decision. “If we don’t (stop messaging) it would backfire on us and affect our brand.”
So, the carriers have been prohibited from profits related to the show, which does not stop the show or other forms of voting. Moreover, this certainly raises an interesting dilemma since the content of the message itself is not the problem but rather the intent of the sender to participate in a form of communication deemed objectionable to the religious leaders. And that kind of standard makes violations hard to find, let alone block.
Here’s a funny new trend in announcing software to your users. “Microsoft Messenger 8 has not been released”. In fact, you may even want to say “If you see a file called BETA8WEBINSTALL.EXE (or an obvious variation/advertisement) then please ignore.”
Even the old saying “patch early/often” can and will be held against you by the clever worm and virus authors.