[WinPartners] unpatched Windows exploit (WMF)

Tim McGovern tjm at MIT.EDU
Tue Jan 3 16:12:16 EST 2006 

Paul,

In response to your question, let me review some of the facts that we  
have in this evolving situation, some of which you probably already  
know.

Although there are exploits on the loose, we are not seeing any  
infections within the MIT network at this time.  We are monitoring  
the situation.

The primary attack vectors are the Picture and FAX viewer in  
conjunction with malware infected websites.  Aggregating protection  
through updated anti-virus software, disabling the viewer and  
practicing safe email habits should buy us all enough time to verify  
& deploy the SANS patch or until Microsoft's official patch is released.

However, there are steps we can recommend to everyone that will  
reduce one's risk.

1. Make sure you back up your system frequently (daily if possible).

2. Make sure virus definitions on McAfee Enterprise are set to update  
daily, and that you are running with the latest definitions. Check to  
make sure updates are actually happening by starting the McAfee  
console and looking at the timestamp on the definitions update.

3. Make sure your machine is set up to auto-download and auto-install  
critical updates, either via MIT's WAUS service or normal Windows  
Update. It should be configured to check for updates daily. Microsoft  
is throwing significant resources at having a patch soon, and you  
want the window between patch availability and download to be as  
small as possible.

4. Be extra cautious about opening pictures or HTML documents you  
receive in email until a patch is available.

5. If your email client supports it, turn off automatic loading of  
HTML content and automatic display of pictures.

6. If you already have an alternate web browser installed (such as a  
current version of Firefox) which does not automatically display WMF  
format images, use it at least until a patch is available.  If using  
such a browser, do not download and open image files unless you are  
sure of what they are.

7. Don't click on URL's you receive in email directly. If you receive  
mail with a web link, type the link or site into your web browser  
manually. At a minimum, if it is personal email from someone you know  
asking you to look at a site, cut-and-past the URL from the email  
into a web browser, and read it to see it makes sense before hitting  
return or "Go" or whatever. If it is email from a company, manually  
type in the company's web site and navigate to where they want you to  
go.

Not only does this keep you from jumping to a web set that will load  
a WMF file (one way exploits for this beast can spread), but it is  
also generally useful in preventing phishing attacks.

Microsoft is currently working hard on a patch (according to our  
contacts) and throwing significant resources at the problem.  As you  
know, the internal version has been completed, and we are working on  
getting the pre-release version of the patch for testing, possibly as  
early as today. Microsoft's latest bulletin indicates a date of  
January 10th for release of an official patch.

      See: http://www.microsoft.com/technet/security/advisory/ 
912840.mspx.

Others are working hard on evaluating a third-party patch that's been  
verified and announced by the SANS organization.

      Note: we are not yet ready to recommend this patch.

Our concern is that installing the SANS patch may cause problems down  
the road with official MS patches and updates, leaving the system  
vulnerable in the future.

We do expect to deploy a patch from Microsoft via MIT's WAUS service  
when Microsoft releases a patch to the general public, or before.

-- Tim
==============================
Tim McGovern
Manager, I/T Security Support
Client Support Services
Information Services & Technology
Massachusetts Institute of Technology
77 Massachusetts Ave. Room N42-040k
Cambridge MA 02139-4307
(617) 253-0505

More information about the winpartners mailing list