The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – More .wmf Woes (NEW)

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Handler’s Diary January 2nd 2006

More .wmf Woes (NEW)

Published: 2006-01-02,
Last Updated: 2006-01-02 18:01:15 UTC by Marcus Sachs (Version: 1)
The WMF issue continues to spin. Overnight we received a note from HD Moore at Metasploit:

We released a new version of the metasploit framework module for the WMF flaw, this one uses some header padding tricks and gzip encoding to bypass all known IDS signatures. Consider this “irresponsible” if you like, but it clearly demonstrates that a run-of-the-mill signature-based IDS (or A/V) is not going to work for this flaw. If anyone has any questions about why we are releasing these types of modules so early after the disclosure, feel free to drop me an email.-HD

http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile

While many might disagree with what Moore and others are doing in the Metasploit project, be grateful that their efforts are “open” and available for both defenders and attackers to view. If only the bad guys had the tools then the good guys would be left guessing on how this stuff works. This reminds me of how bad we felt in the early 1990s when Satan was released. We (the good guys) felt that they (the bad guys) had a tool that was “unfair” in that it allowed them to scan our networks looking for flaws. Today of course no sysadmin worth his or her GIAC certification would run a network without scanning periodically for vulnerable systems. So, if you haven’t looked at the Metasploit project then today might be the day you should. Think of it as a defender’s best friend rather than an evil hacking tool.

Advertisements

January 2, 2006 - Posted by | Antivirus News, Security News

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: