J
Jim
[Standard Disclaimer: I could always be wrong.....but.....]
In the most current update to Microsoft's Security Advisory about the WMF
exploit (http://www.microsoft.com/technet/security/advisory/912840.mspx), I
believe that there are several mis-statements that should addressed in the
"Mitigating Factors" section.
1) "In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability."
This is false. Attackers can post infected files to unsecured websites or
photo blogs like Flickr. Hosting the website would add an unwanted trail to
the hacker and is avoided by all but the most inexperienced hackers. While
script kiddies will host this exploit, the more advanced exploitations are
likely to pop up on websites NOT hosted by the attackers.
In fact, all you have to do is ciew an infected image onscreen to
launch the attack against your PC.
2) "Instead, an attacker would have to persuade users to visit the Web site,
typically by getting them to click a link in an e-mail or Instant Messenger
request that takes users to the attacker's Web site." Also not true.
Pop-ups can also hold exploits used to take over a user's PC. As you are
aware, you don;t have to do anything to get a pop-up to launch except visit
a site that may have no knowledge of what is in the pop-up (other than any
advertising agreements they have with the pop-up target site or ad
reseller).
Also not taken into account is the rather nasty habit that most
websites (even sites like www.CNN.com) of hosting third-party images that
are frequently retrieved from even a 4th, 5th or Xth party site. This
increases the likelihood of an attack being launched via 3rd party images on
even well-respected sites like www.cnn.com or www.cnet.com .
3) "In an e-mail based attack involving the current exploit, customers would
have to click on a link in a malicious e-mail or open an attachment that
exploits the vulnerability." This is not true for any user that reads thier
email in HTML format. HTML emails automatically download and display images
in HTML emails. This means that simply reading an HTML email can infect an
unpatched machine. You don't have to click a thing.
A little lower in the updated advisory Microsoft states "In Windows
Server 2003, Microsoft Outlook Express uses plain text for reading and
sending messages by default. When replying to an e-mail message that is sent
in another format, the response is formatted in plain text.", indicating
that they are aware of the HTML email vulnerability, but not making it clear
that reading emails in HTML format can launch an attack without clicking on
anything.
4) "At this point, no attachment has been identified in which a user can be
attacked simply by reading mail." This is true and should be differentiated
from #3's mis-statement. An attachment must be clicked to be viewed. Note
the word "attachment". HTML emails (if read in HTML format) load thier
images from servers ad display them automatically within the email when you
view the HTML email. When reading an HTML email that contains and infected
image file, you do not need to click anything for the exploit to be
executed. The display of the image on your screen is all it takes to launch
it's payload.
Financial Times states "Unlike most attacks, which require victims to
download or execute a suspect file, the new vulnerability makes it possible
for users to infect their computers with spyware or a virus simply by
viewing a web page, e-mail or instant message that contains a contaminated
image." - at
http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html
5) "This issue is not known to be wormable." Not true. An MSN Messenger
worm has already been reported to be spreading in the wild - see
http://www.f-secure.com/weblog/archives/archive-122005.html and
http://www.viruslist.com/en/weblog?discuss=176892530&return=1.
If I've got anything wrong here (I'm not perfect either
)....speak up.
Jim
In the most current update to Microsoft's Security Advisory about the WMF
exploit (http://www.microsoft.com/technet/security/advisory/912840.mspx), I
believe that there are several mis-statements that should addressed in the
"Mitigating Factors" section.
1) "In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability."
This is false. Attackers can post infected files to unsecured websites or
photo blogs like Flickr. Hosting the website would add an unwanted trail to
the hacker and is avoided by all but the most inexperienced hackers. While
script kiddies will host this exploit, the more advanced exploitations are
likely to pop up on websites NOT hosted by the attackers.
In fact, all you have to do is ciew an infected image onscreen to
launch the attack against your PC.
2) "Instead, an attacker would have to persuade users to visit the Web site,
typically by getting them to click a link in an e-mail or Instant Messenger
request that takes users to the attacker's Web site." Also not true.
Pop-ups can also hold exploits used to take over a user's PC. As you are
aware, you don;t have to do anything to get a pop-up to launch except visit
a site that may have no knowledge of what is in the pop-up (other than any
advertising agreements they have with the pop-up target site or ad
reseller).
Also not taken into account is the rather nasty habit that most
websites (even sites like www.CNN.com) of hosting third-party images that
are frequently retrieved from even a 4th, 5th or Xth party site. This
increases the likelihood of an attack being launched via 3rd party images on
even well-respected sites like www.cnn.com or www.cnet.com .
3) "In an e-mail based attack involving the current exploit, customers would
have to click on a link in a malicious e-mail or open an attachment that
exploits the vulnerability." This is not true for any user that reads thier
email in HTML format. HTML emails automatically download and display images
in HTML emails. This means that simply reading an HTML email can infect an
unpatched machine. You don't have to click a thing.
A little lower in the updated advisory Microsoft states "In Windows
Server 2003, Microsoft Outlook Express uses plain text for reading and
sending messages by default. When replying to an e-mail message that is sent
in another format, the response is formatted in plain text.", indicating
that they are aware of the HTML email vulnerability, but not making it clear
that reading emails in HTML format can launch an attack without clicking on
anything.
4) "At this point, no attachment has been identified in which a user can be
attacked simply by reading mail." This is true and should be differentiated
from #3's mis-statement. An attachment must be clicked to be viewed. Note
the word "attachment". HTML emails (if read in HTML format) load thier
images from servers ad display them automatically within the email when you
view the HTML email. When reading an HTML email that contains and infected
image file, you do not need to click anything for the exploit to be
executed. The display of the image on your screen is all it takes to launch
it's payload.
Financial Times states "Unlike most attacks, which require victims to
download or execute a suspect file, the new vulnerability makes it possible
for users to infect their computers with spyware or a virus simply by
viewing a web page, e-mail or instant message that contains a contaminated
image." - at
http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html
5) "This issue is not known to be wormable." Not true. An MSN Messenger
worm has already been reported to be spreading in the wild - see
http://www.f-secure.com/weblog/archives/archive-122005.html and
http://www.viruslist.com/en/weblog?discuss=176892530&return=1.
If I've got anything wrong here (I'm not perfect either
)....speak up.Jim