The team of volunteers at the SANS Internet Storm Center have published
a new Frequently Asked Questions (FAQ) entry on the serious "WMF
vulnerability" that places nearly all Windows computers at risk of
compromise:
http://handlers.dshield.org/jullrich/wmffaq.html
They note that "our current 'best practice' recommendation is to both
unregister the DLL [as recommended by Microsoft and reiterated by John
Ives here on campus] and to use the unofficial patch [which provides
more comprehensive protection]," at least until Microsoft releases its
own fix for this vulnerability, which is currently scheduled for January
10.
You'll need to use your own judgement regarding whether to install the
"unofficial patch" that the SANS ISC is recommending. Microsoft - in
the latest update to their official advisory - and John have both issued
concerns about doing so. Microsoft notes that:
> As a general rule, it is a best practice to utilize security
> updates for software vulnerabilities from the original vendor
> of the software. With Microsoft software, Microsoft carefully
> reviews and tests security updates to ensure that they are of
> high quality and have been evaluated thoroughly for application
> compatibility. ... Microsoft cannot provide similar assurance
> for independent third party security updates.
For a contrasting view from a SANS volunteer, please see:
http://isc.sans.org/diary.php?storyid=996
If you do choose to take the risk of installing the "unofficial patch" -
with unknown effects on system stability, application compatibility, and
its potential impact on the subsequent installation of the official
Microsoft patch - please heed both the caveat and instructions at
<http://isc.sans.org/diary.php?storyid=992>:
> Patching with unofficial patches is very risky business, this
> comes without any guarantees of any kind. Please do back out
> these unofficial patches before applying official patches
> from Microsoft. When MS comes out with a real patch ... [first]
> uninstall this [unofficial patch] from Add/Remove programs on
> the Control Panel [before installing the official Microsoft patch].
Finally, the new SANS FAQ also notes, regarding the ability of
anti-virus software to detect and block exploits of this vulnerability:
"At this point, we are aware of versions of the exploit that will not be
detected by antivirus engines. We hope they will catch up soon. But it
will be a hard battle to catch all versions of the exploit. Up to date AV
systems are necessary but likely not sufficient."
Nonetheless, it should be repeated that keeping your anti-virus software
up to date with daily virus definitions updates is another key component
of a 'defense in depth' against exploits of this vulnerability.
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Tue Jan 3 09:43:25 2006
This archive was generated by hypermail 2.1.8 : Tue Jan 03 2006 - 09:43:26 PST