Re: Encountered WMF Vulnerability

cquirke (MVP Windows shell/user) wrote:

>> The difference for the more effective products is likely to be
>> heuristic detection, tracking the threat by identifying the basic
>> techniques of the exploit, rather than looking for specific patterns
>> for specific exploits.
>
> Well, those who believe in throwing money at one "good" av product may
> be in a YMMV situation, as Kaspersky (the usual fundi's favorite)
> detects only one more malware than AVG (the freebie favorite). In
> fact, the results are quite different to what one might have expected,
> with Avast, ClamAV and VirusBuster (?) doing so well and Norman,
> F-Prot, eSafe/eTrust and Kaspersky doing so badly.
>
> It's also interesting to see F-Secure doing so much better than
> Kaspersky and F-Prot, who are the two main engines it uses.
>
> So this favors the "use multiple scanners" approach, as opposed to
> "spend money on one good scanner" - except that the nature of this
> threat really requires on-access protection, whereas "use multiple
> scanners" is best done as one resident av backed by multiple on-demand
> scanners (one of which would be the free BitDefender).
>
> So far, defenses and resources have included:
>
> 1) An unofficial patch
>
> This is code that injects into the at-risk process, to capture
> attempts to access the defective code. One wonders if this will crash
> into resident av products that try the same approach?
>
> 2) Un-registering a relevant .DLL
>
> 3) Deleting or renaming away a relevant .DLL
>
> This is complicated by Windows File Protection in XP and WinME, though
> the latter can be managed as per...
>
> http://cquirke.mvps.org/9x/sr-sfp.htm
>
> It certainly seems the best approach for Win95/98, for which no patch
> is expected to be forthcoming from MS.
>
> 4) Testing the system to see if it is vulnerable
>
> The vulnerability scanner is from the smae folks who came up with the
> unofficial patch; sorry no URL to hand.
>
> 5) Killing the file association for .WMF files
>
> This should work, but doesn't, because the OS is badly (unsafely)
> designed to interpret WMF content as WMF even when it is found in
> files that should not contain it, i.e. have file name extensions that
> imply the file is some other type.
>
> This applies not only where it might be inevitable, such as embedded
> material within a Word document, but in stand-alone .JPG etc. as well.
> This management also does not address risks from "services" that grope
> material in the background, such as the indexing service.
>
> There are two big "thou shalt not" lessons in there, but I fear MS
> won't learn from them, and will continue creating even greater risks
> from underfootware file groping and dangerous management of material
> that is mis-represented at the file name extension level.
>
> 6) Using XP SP2 DEP with DEP-capable processor
>
> This can often catch this sort of raw code exploit, if it blocks the
> code on the basis that it is within what is supposed to be data.
> Whether it will always block every possible exploit of this defect is
> another matter; maybe, maybe not.
>
> 7) In av we trust
>
> Well, eventually the av may catch this stuff reliably, and then it
> becomes a matter of whether all possible material routes are
> intercepted by the resident av. Could bring "email scanning" back
> into fashion, for example, if material embedded within an email
> "message" doesn't go through an opportunity to trigger a scan when the
> graphic is created as a temp file.
>
> 8) Fiddling with user account permissions
>
> May help a bit, but not even MS is claiming it's a reliable,
> bullet-proof fix. It's down there with "don't browse dodgy sites" and
> "don't open email from someone you don't know".
>
> Well, no; it's far more rational and useful than "don't open email
> from someone you don't know" - that really is a pretty useless
> approach, given that malware usually arrives from someone you know **,
> and by the time the embedded images are displayed in the (pre-)view,
> you are sunk. Viewing email as plain text would be a better fix.
>
> ** Specifically, a PC that has your address stored on it
>
>
>
>> ---------- ----- ---- --- -- - - - -
> Don't pay malware vendors - boycott Sony
>> ---------- ----- ---- --- -- - - - -


>>Well, those who believe in throwing money at one "good" av product may
>>be in a YMMV situation, as Kaspersky (the usual fundi's favorite)
>>detects only one more malware than AVG (the freebie favorite). In
>>fact, the results are quite different to what one might have expected,
>>with Avast, ClamAV and VirusBuster (?) doing so well and Norman,
>>F-Prot, eSafe/eTrust and Kaspersky doing so badly.

I like your post, but one small, but highly revevant item remains, their are
many
more threats out their than the wmf exploit so one should not choose their
av
software solely on this one item.

--
Mike Pawlak


.

Relevant Pages

  • Re: Common Malware Enumeration Initiative Now Available
    ... The question begs what will they do when the ... what about older versions of malware? ... > doesn't pose as much of a threat as new malware... ... of numbers the idea for a standard is to have it last and in ten of fifteen ...
    (alt.computer.security)
  • Re: Common Malware Enumeration Initiative Now Available
    ... The question begs what will they do when the ... what about older versions of malware? ... > doesn't pose as much of a threat as new malware... ... of numbers the idea for a standard is to have it last and in ten of fifteen ...
    (microsoft.public.security.virus)
  • Re: Malware Triangle
    ... spam doesn't belong anywhere near a malware diagram... ... > is not a threat to anything other than your time and/or your pocketbook ... Malware is a compound of Malicious Software, ...
    (alt.computer.security)
  • Re: Malware Triangle
    ... spam doesn't belong anywhere near a malware diagram... ... in the grander ... but it's no more a threat than being exposed to advertising on ... > don't have a problem with extending it's definition to meet the needs of ...
    (alt.computer.security)
Loading