I hung on to the last batch of 20 wmf exploit samples I had been working with for the purpose of testing my clamantivirus install against them to see when “full detection” of all 20 had been acheived. Last night, with version 1227 of the daily.cvd database, they were still detecting 8 out of the 20. Now, the signatures seem to have improved as with version 1228 of daily.cvd clamav detects all 20 as Exploit.WMF.Gen-3 FOUND
This is something you should consider if you are looking to abandoned a pre-Winxp operating system in favor of a flavor of XP. The product life cycle. In their infinite wisdom, Microsoft has different support plans for consumer products than “business-products”. As such… arstechnica.com has a post explaining why support for Windows XP Home will end the end of this year 12/31/06 and Windows XP Pro will continue to be supported perhaps as long as December of 2013.
Yesterday the hexblog, which is the site of the person that wrote the unofficial patch for the WMF exploit, was offline for bandwidth over use. Several mirror sites popped up to host the patch. Today the site is back up at http://www.hexblog.com/ in a more minimal form. It’s suggested if you can’t reach the page to try the ip address directly http://216.227.222.95 As the DNS changes are likely still propogating.
F-Secure is reporting on another SPAM attack that tries to get people to click on a link to a site with an exploit-crafted WMF file. The message is along the lines of a claimed Professor at Yale announcing the unfortunate vandalism over the New Year holiday, the link purports to be pictures of the act in the “hope that someone may recognize the culprits work”. I’m sure this won’t be the last of that sort….
Just saw this over at engadget. It’s a Lexar jumpdrive with “amount filled” indicator. The twist is the “amount filled” is done with electronic paper. What this means is that you can see how full the drive is without plugging it into a pc. The electronic paper doesn’t draw power to hold the display.
The Sunbelt Blog has picked up on a report of some network printing problems with the unofficial WMF exploit patch installed. The first report was on the fulldisclosure list. It is recommended that the patch be tested before rolling out. The variation of software configurations varies by environment…
I want to try to clarify a point. I’ve spent a couple days trying to get current exploits to work on a Windows 98 SE virtual machine. Not to prove that Windows 98 is safe, but to determine if current exploits affect Windows 98. Yesterday evening there were apocalyptic headlines saying that virus threatens every windows os shipped since 1990 which is overhyped. The current vulnerability exists in every windows operating system shipped since 1990. The current exploit for that vulnerability doesn’t seem to work on Windows 98 (you have to go a long ways to find a configuration that the current exploit works with… I haven’t yet.) This does not mean that Windows 98 is invulnerable. It simply means that this specific attack does not easily work. Tomorrow may be different, now that the problem is known, it may be just a matter of time before someone determines WHY windows 98 is not as affected and “correct” the problem.
Well last week was technically my “vacation” from computer work…. it didn’t quite turn out that way, but I did enjoy what I got to do, although I would much rather the WMF exploit had not come about. The week is shaping up to be quite busy with regards to appointments, so I doubt you should expect as high a rate of posting as there was last week. I’ll do my best to continue to hit the highlights. Thanks for visiting.
I didn’t exactly expect a parade staged by Microsoft for the writer of the unofficial patch for this WMF vulnerability, but…. eweek tells us that Microsoft says “beware of unofficial WMF patch” It also mentions that behind the scenes Microsoft officials are furious that the threat has been overblown. Personally, I think they’ve downplayed the issue in their recent security bulletin and frankly, I’ve seen quite a bit of overblown hype. (*virus threatens every windows os shipped since 1990…)
Microsoft has posted a security advisory (912920) on the previously reported “awakening” of the Sober worm, expected January 6th.
Systems that are infected with Win32/Sober.Z@mm may download and run malicious files from certain Web domains beginning on January 6, 2006
Further they give the following note….
Read the rest of this entry »
Bookmark this site now by pressing Ctrl+D
