Wednesday, January 04, 2006

WMF exploit again, interviews and Sober!

At the moment, the number of different WMF exploits I saw has gotten well past a hundred and more are coming every hour. But that's not the worst. The most recent exploits show that the bad guys have been very very busy finding and implementing new ways to get their exploits past various AV products. So much for the dark side taking a break over the winter holidays and New Year... And of course Microsoft is busy developing a fix but that takes ages... Good points however for Ilfak Guilfanov's patch, which is currently the most popular one. Also a beta version of the Microsoft patch, scheduled to be released on January 10, was leaked on the Internet. Microsoft has recommended customers to "disregard" it and they warn that threats could be hidden in any patches coming from dubious sources. Of course, you should never use a patch from an untrusted source, no matter how promising it looks. Ilfak's patch is the only one I can recommend. Make sure you do some testing beforehand, especially if you are going to deploy it on a large number of production machines though. You should always be very wary of any third party patch from an untrusted source, whether it's claiming to fix an old vulnerability or the latest WMF vulnerability. This is a method which has successfully been used in the past to distribute malware.

During the day I've been interviewed by 2 Belgian TV Broadcast stations VRT and VTM. You can find them at the sites www.vrt.be and www.vtm.be however I will also post a snippet of them next weekend on my press page. Also the Newspaper 'De Morgen' asked me for some comment.

Like I've told you before (last year?) within this blog, this exploit would become a large problem.
You definitely can see it now, isn't it?

And possibly with all these problems we will miss another upcoming problem ... the rise of the old Sober ... the update phase starts on the 6 of January 2006. This means that all machines infected by Sober will try to download and execute code from certain addresses... oh oh what a week!!!!