On Mon, January 2, 2006 15:55, Karl R. Grose wrote:
>
> On Monday 02 January 2006 15:13, Doug Neuhauser wrote:
>
>> One of my users sent me today info that seems to indicate that the
>> current Symantec anti-virus should protect systems.
>> Is this indeed true?
>
> This Symantec page would seem to indicate yes, if you got the updates
> available starting on Dec. 28th:
>
>http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.56.html
It's worth noting that Symantec currently has a "heuristic detector" for
this exploit, so its effectiveness of its detection depends on how well
its heuristic algorithms can identify WMF files containing exploit code.
This may be challenging for Symantec to do, unless perhaps they could
somehow detect within the contents of such files whether the exploited
calls in the GDI API are invoked, possibly through knowledge of those
file formats and API, or else could come up with a similar detection
algorithm. Is it likely that they would have come up with such a
solution so quickly? As for straight signature-based detectors, forget
it. As Steve Gibson wrote:
"Anti-Virus vendors quickly updated and began pushing out their A-V
signature files. These have been effective, but a new very flexible
exploit generation tool has appeared that's able to create so many
different variations of the exploit that A-V signatures are having trouble
keeping up."
And Brian Krebs wrote in the Washington Post that:
"This is a big deal because so far -- without a patch from Redmond to
remedy this problem -- the major antivirus vendors have been the first
lines of defense against this attack, and they have relied mainly on
adding new signatures to their software to detect the latest threats each
time a new one appears. But by changing the profile of the attack slightly
with each iteration, the new exploit's random attack code has a far
greater chance of slipping past software shields."
"SANS said the random garbage added onto any attack code generated with
the new exploit could make it very hard for anti-virus companies to
develop signatures to detect the new threats."
It appears clear that the ultimate fix will still be for Microsoft to
revise the relevant parts of its graphics rendering engine. Until then,
"defense in depth" through multiple protection measures may be the best
option, rather than relying solely on one's A/V software.
The following Wikipedia entry capsulizes some of the more commonly-seen
recommendations seen on the 'net; see the "Workaround" section of the
entry:
http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability
Aron Roberts
Workstation Software Support Group
P.S. Information about this vulnerability and its exploits appears to be
somewhat fluid and occasionally contradictory. For instance, there is
differing information provided on various web pages about exactly which
Windows OSes are vulnerable to the exploits released to date and whether
Data Execution Protection in WinXP SP2 is of value. There also appears to
be a growing consensus that Microsoft's current suggestion to de-register
shimgvw.dll does not offer sufficient protection, in and of itself,
against the latest evolving exploits of this vulnerability.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Mon Jan 2 17:08:43 2006
This archive was generated by hypermail 2.1.8 : Mon Jan 02 2006 - 17:08:44 PST