Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trustworthy Computing

Posted by Hemos on from the how-to-solve-these-issues dept.

Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."

4 of 465 comments (clear)

  1. Re:SPI Aren't meant for this type of filtering... by grenthal · · Score: 5, Informative

    FTFA

    * Should I just block all .WMF images?

    This may help, but it is not sufficient. WMF files are recognized by a special header and the extension is not needed. The files could arrive using any extension, or embeded in Word or other documents.

  2. Re:"the snort rule will peg the CPU on your router by PenguinOpus · · Score: 5, Informative

    I believe this is because _any_ image is vulnerable to infection. Because Microsoft checks the header for every image file and treats it as WMF if the header matches, all jpegs, gifs, and pngs are potential vectors for the disease. A router that has to inspect _every_ image that is surfed by users behind it will immediately turn into a bottleneck.

    A couple of the other comments here seem to miss this very important point:

    It's not just files with ".wmf" at the end. Any image file will get unwrapped by Microsoft code and the callback will get executed. Woof.

  3. Re:Shame on Hemos by Saint+Aardvark · · Score: 5, Informative
    There should've been a link to this:

    There is one important note in regards to ALL published signatures including this one. All these signatures will fail to detect the exploits when the http_inspect preprocessor is enabled with default settings. By default, the flow_depth of the preprocessor is 300 which is too short to cover the whole exploit. Should the exploit be transmitted on port 80 and http_inspect is enabled, no alert will occur. Note that it will still alert on any ports (using the all port sig below) that are not configured in http_inspect (ie FTP).

    One solution is to add the statement "flow_depth 0" to the http_inspect preprocessor (actually the appropriate http_inspect_server line in the config). This will tell the preprocessor not to truncate the reassembled pseudo-packet, but it will have an adverse impact on performance. On busy networks, this will lead to 100% CPU utilization of the Snort process and major packet drops.

    And you should've checked before saying it was all made up.

    --
    Carousel is a lie!
  4. Deploying to many machines is hard by ilfak · · Score: 5, Informative

    I'm the author of the hotfix and one could expect me to say 'yes, please go ahead and install it on your corporate network with thousands of machines'.

    But I won't say that.

    First of all deploying any software on a large network is a serious task. It should be carefully planned and performed with the correct (read: responsible) approach.

    The hotfix must be tested on as many machines as possible. Possible negative consequences must be determined and decided upon if they are acceptable or not.

    In short, more rigorous testing is required.

    -------
    Ilfak Guilfanov, the author of the hotfix