VMWare Browser

Published: 2006-01-02. Last Updated: 2006-01-07 13:21:13 UTC
by Marcus Sachs (Version: 2)
0 comment(s)
In all of the confusion over the .wmf issue comes a bit of hope from one of our favorite vendors.  VMWare has a Browser Appliance virtual machine available for free download.  It's a BIG file (258Mb zipped) so be sure you have a plenty of time for downloading.  The appliance can be run in either VMWare Workstation or the free VMWare Player and provides you with a safer environment for web surfing.  Thanks to John Holmblad for pointing this out to us. 

(Be sure that you are running the latest version of VMWare Workstation, since there was a security issue disclosed several days ago.  Also, note that the VMWare Player installion process asks if you want to install the Google desktop search application, which should remind you of yet another vector for the .wmf vulnerability to manifest itself.)

UPDATE - two more sandbox approaches to browsing were sent to us.  Morland Halliday said to check out www.greenborder.com, and Derrill Guilbert pointed us to www.sandboxie.com.  Thanks to both of you!



Keywords:
0 comment(s)

Overview of the WMF related articles at the ISC

Published: 2006-01-02. Last Updated: 2006-01-03 16:28:03 UTC
by Tom Liston (Version: 6)
0 comment(s)
Since this is one of the more complex stories to follow I've made a quick overview of the WMF issues.

The first story on the WMF vulnerability and the initial exploit
http://isc.sans.org/diary.php?storyid=972

The update explaining why we went to yellow the first time around
http://isc.sans.org/diary.php?storyid=975

The story pointing to the Microsoft bulletin
http://isc.sans.org/diary.php?storyid=976

The availability of the first snort sigs
http://isc.sans.org/diary.php?storyid=977

The going back to green article
http://isc.sans.org/diary.php?storyid=978

More WMF signatures
http://isc.sans.org/diary.php?storyid=980

Lotus notes affected
http://isc.sans.org/diary.php?storyid=981

The bandaid post: deregistering not reliable, extension filtering not enough
http://isc.sans.org/diary.php?storyid=982

The free phone number for micrsoft support
http://isc.sans.org/diary.php?storyid=985

Indexing and WMF
http://isc.sans.org/diary.php?storyid=986

Musings on how to protect organisations beyond the trivial
http://isc.sans.org/diary.php?storyid=990

An IM worm found using the WMF stuff
http://isc.sans.org/diary.php?storyid=991

The second exploit, back to yellow, new sigatures and an unoffical patch
http://isc.sans.org/diary.php?storyid=992

The WMF FAQ
http://isc.sans.org/diary.php?storyid=994

2nd generation exploit use in spam
http://isc.sans.org/diary.php?storyid=995

Trustwothy computing
http://isc.sans.org/diary.php?storyid=996

Recommended block list
http://isc.sans.org/diary.php?storyid=997

Status of the anti-virus detection after one day
http://isc.sans.org/diary.php?storyid=998

Updated version of Ilfak Guilfanov's patch
http://isc.sans.org/diary.php?storyid=999

More .wmf woes
http://isc.sans.org/diary.php?storyid=1002

Installing a Patch Silently
http://isc.sans.org/diary.php?storyid=1004

.wmf FAQ Translations
http://isc.sans.org/diary.php?storyid=1005

Checking for .wmf Vulnerabilities
http://isc.sans.org/diary.php?storyid=1006

MS to Release Update on Jan 10
http://isc.sans.org/diary.php?storyid=1009

.MSI installer file for WMF flaw available
http://isc.sans.org/diary.php?storyid=1010

--
Swa Frantzen


Keywords:
0 comment(s)

Scripting the Unofficial .wmf Patch

Published: 2006-01-02. Last Updated: 2006-01-03 16:06:03 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Brent Hughes sent us a script that he used today to push the unofficial .wmf patch across his enterprise.  Here is what he sent us, and I suspect that it will work nicely with the updated patch from Ilfak.  Note that our html editor sometimes eats backslashes, apologies if that happens below.


I put the patches in netlogon to help distribute the load a bit across the domain controllers.  Here's just the relevent section of my script (in vbscript).  It assumes the patch always installs in c:program files.  If program files is somewhere else you might have to find it [ie. progdir = objShell.ExpandEnvironmentStrings("%programfiles%")].  

----------------
Const HOTFIXDIR = "%home%\netlogon\patches"

set objShell = CreateObject("Wscript.shell") Set oFSO = CreateObject("Scripting.FileSystemObject")

if NOT oFSO.FileExists("c:program files\Windows\MetafileFix\wmfhotfix.cpp") then
    objShell.Popup "Installing WMF unofficial patch", 5
    objShell.Run "%windir%\system32\regsvr32.exe -u %windir%\system32\shimgvw.dll"
    objShell.Run HOTFIXDIR & "wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES"
end if
-----------------

You could batch file it too (though I've never tried this in group
policy):
----------------
@echo off
if exist "c:program files\windows\metafilefix\wmfhotfix.cpp" goto end
    %windir%\system32\regsvr32.exe -u %windir%\system32\shimgvw.dll
     %home%\netlogon\patches\wmffix_hexblog13.exe /VERYSILENT /SUPPRESSMSGBOXES
:end
----------------

Put one of those in a group policy under shutdown scripts and it should patch on reboot.  I'm still working on the best way to script rebooting the network, but I'll send that too when I've got it.

-Brent
Keywords:
0 comment(s)

.wmf FAQ Translations

Published: 2006-01-03. Last Updated: 2006-01-04 20:36:34 UTC
by Marcus Sachs (Version: 4)
0 comment(s)
Thanks to the work of several of our handlers and readers, we've got a nice set of FAQs in multiple languages:

Catalan
Deutsch and Deutsch (pdf)
Dutch/Nederlands
English
Español
Italiana and Italiana
Polski
Suomenkielinen
Portugues - Br
Danish
Japanese
Slovenian
Chinese
Norwegian
Turkish
French
Latvian

More coming as they are submitted to us.

Keywords:
0 comment(s)

Installing a Patch Silently

Published: 2006-01-02. Last Updated: 2006-01-03 02:53:29 UTC
by Marcus Sachs (Version: 2)
0 comment(s)
For those who are manually patching systems using Ilfak Guilfanov's unofficial patch, handler Tom Liston says that you can install it in an unattended mode by using this incantation:

wmffix_hexblog14.exe /VERYSILENT /SUPPRESSMSGBOXES

More details are here.  This version looks like it will work well with startup scripts in the Active Directory.  Previous versions were a bit noisy and would create annoying error messages to users that might not understand what they were seeing.

A reminder:  be sure to test the patch above before deploying it across an enterprise.  While the handlers (including me) are running it on our own personal systems and it works as advertised, we can't vouch for any special software you might have in your own systems that could be disabled after the patch is installed.

Keywords:
0 comment(s)

Checking for .wmf Vulnerabilities

Published: 2006-01-02. Last Updated: 2006-01-03 02:44:21 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
As far as we know there are no tools available yet for remote scanning and detection of systems vulnerable to the .wmf issue.  Ilfak Guilfanov has a testing tool available on his website, and he cautions users that it only checks for one version of the exploit so it might not detect new variations. 

If you want to experiment with another file submitted to us by Kevin Gennuso (thanks, Kevin) you can download it here.  The file will open calc.exe and kill explorer.exe on vulnerable systems but otherwise causes no damage as far as we can tell.  As always, test this file before using it on a production or enterprise computer.  This file is useful for seeing if Ilfak's patch worked for your system.

Reik Bohne sent us a link to a test on heise.de.  It's in German but essentially what it does is provides you with a way to check your browser and your email client to see if you are vulnerable.  Like the file above, it starts calc.exe on an unpatched system.

Keywords:
0 comment(s)

More .wmf Woes

Published: 2006-01-02. Last Updated: 2006-01-02 18:01:15 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
The WMF issue continues to spin.  Overnight we received a note from HD Moore at Metasploit:

We released a new version of the metasploit framework module  for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this "irresponsible" if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw. If anyone has any questions about why we are releasing these types of modules so early after the disclosure, feel free to drop me an email.

-HD

http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile

While many might disagree with what Moore and others are doing in the Metasploit project, be grateful that their efforts are "open" and available for both defenders and attackers to view.  If only the bad guys had the tools then the good guys would be left guessing on how this stuff works.  This reminds me of how bad we felt in the early 1990s when Satan was released.  We (the good guys) felt that they (the bad guys) had a tool that was "unfair" in that it allowed them to scan our networks looking for flaws.  Today of course no sysadmin worth his or her GIAC certification would run a network without scanning periodically for vulnerable systems.  So, if you haven't looked at the Metasploit project then today might be the day you should.  Think of it as a defender's best friend rather than an evil hacking tool.


Keywords:
0 comment(s)

Comments


Diary Archives