** HEADS UP ** IE vulnerability. EXTREMELY CRITICAL.

[dynamoo]

Now.. here's something strange. Remember the blocklist that the ISC was recommending..

InterCage Inc.: 69.50.160.0/19 (69.50.160.0 - 69.50.191.255)
Inhoster: 85.255.112.0/20 (85.255.112.0 - 85.255.127.255)

Well, check out Alexa's movers and shakers (do NOT visit the sites) and look at the sites going down.

• Skarb.biz (69.50.161.197)
• Ep-arch.com (69.50.182.68)
• Debri.net (69.50.182.68)
• Buycd.org (69.50.182.69)
• Lonely-wolf.net (69.50.182.69)
• Cobgalls.com (69.50.182.66)

They are all in InterCage's IP address range and from early October to the end of December, all these sites were pulling in a sh*tload of traffic.. I reckon about 60,000-80,000 uniques per day per site. Each of those servers has 50 sites running for 80 days, and poking around some random IP addresses shows that there are other servers in that farm, I count at least 6 in total with about 275 sites.

OK, there's a wide margin for error here, but that's an astounding about of traffic they've pulled in, and if those servers were distributing the WMF exploit (I guess during December), then there could be a truly staggering number of infected PCs.

[RoadClosed]

About 10 hours to get WSUS up and running on a dedicated server last summer and about 3 minutes to apply the patch this morning with a force reboot. I am happy - WSUS friggin rocks. Next the 2k servers but they don't have internet browser access anyhoo. They already have the patch but I reboot them one by one after hours. There is no roll back on this patch so I hope all is well. Next question ... to reboot the enterprise and cross my fingers or stick around for a couple of days and update all ERDs and Admin Pack CD-ROM images.... Naw too much work... Except for that damn cluster.

[Tiger Shark]

I'm kinda keen on WSUS too....

Other than picture/movie attachments I reverted our internet operability back to pre-New Years functionality at midday....

I don't see a widespread vector being used, I don't hear any rumors of impending doom and I do see official and unofficial patches deployed against all the regularly used boxes on my network. I told everyone to turn on any computer in their facility that they find turned off and to leave their boxes on all weekend so I'm figuring that between their sterling efforts and WSUS I will be sitting pretty by monday..... Ahhh.... The weekend.....

[dynamoo]

I think we've dodged the bullet on this one.. but I bet you that the WMF handling subsystem is full of holes like this, so I guess the bad guys will keep looking around all the legacy crap with Microsoft still bundle with their OSes.

[nihil]

so I guess the bad guys will keep looking around all the legacy crap with Microsoft still bundle with their OSes.

/off topic

This has been a problem over the years, they never seem to clear stuff out, just add more. A classic example is Win NT4.0................if you look in the System32 folder you will find 4 executables.

They have a .bas extension, which means they are "quickbasic" or "Qbasic". This shipped with DOS 5.0 AFAIK

You have to import an executable to run them, but then you get to play "Gorillas" Although it is pretty simple, it impressed me that it was only around 75Kb in size.

However, it does demonstrate a lack of housekeeping?

[Tiger Shark]

As for doging the bullet....

I get the impression from what I have read that Organized Crime is in on this one up to their eyeballs..... The last thing they want is a big fuss.... They want to go about their "business" unmolested so keep a very close eye on your egress filters logs and watch the common services traffic from time to time as well.... Never know what the little bastiges are doing behind your back....

[gore]

Does WSUS actually work that well? What I'd love to see Microsoft do is do what Linux and BSD vendors do:

Link to the actual patch so you could download all of them, burn them to a CD, and then when you reformat you could install them without being on the internet allowing the machine to get PWNED so fast. All Linux vendors do this and it's so much easier.

I made a dir on my FTP server and put patches in that so I don't need to even be online to update. Someone told me a third party for this exists but I really don't want third party.

[HTRegz]

Originally posted here by gore
Does WSUS actually work that well? What I'd love to see Microsoft do is do what Linux and BSD vendors do:

Link to the actual patch so you could download all of them, burn them to a CD, and then when you reformat you could install them without being on the internet allowing the machine to get PWNED so fast. All Linux vendors do this and it's so much easier.

I made a dir on my FTP server and put patches in that so I don't need to even be online to update. Someone told me a third party for this exists but I really don't want third party.

Hey Hey,

gore, check out http://www.autopatcher.com/ they create CDs for 2000/XP/2003 that allow you to install all the updates.. last update is Dec. 2005 updates.... Usually about 3 are released per year.. if you go through you end up finding a lot of cool apps that you didn't know MS released because they're buried on their site.

I've also got a tool that will change a PC to run a single update of a wsus server (if you have one... to grab all the updates locally) and then switch it back to using Windows Updates... we used to use it at the college for student machines... when we did a reinstall it was much faster to use our local server rather than go online repeatedly.... My CDs are downstairs ATM but I'll see if I can find it and attach it to this thread.

Peace,
HT

[morganlefay]

Hey Gore

MS has a"use administrative options" on the update page

http://update.microsoft.com/windowsu....aspx?ln=en-us

where I beleive you can download all updates individually....sorted by OS

Save to a folder and burn to cd.....use the folder locally like HT to bring reinstalls up to snuff

I have a couple disks I carry around ..one for xp and one for 2000...latest service packs and most hot fixes .......wont all fit on my jump drive..(.I usually keep utilities and personal stuff on that)

Handy to bring the OS up to the latest SP...then get the updates

HTHS

MLF

[ric-o]

/off topic (apologies)

Did you guys see the crap that Microsoft's Corp VP of security posted on MS's security response center blog?

MS Sec Respo Ctr Blog entry
The second issue is that while there is no imminent threat, a number of customers are seeing exploit traffic hitting their AV, IDS and IPS systems. Interestingly, when you talk to the security vendors they are seeing the rate of infection and the rate of spread actually decrease.

What a crock of sh**. WTF is he talking about. There's been a bunch of postings all over (SANS, here, F-Secure, etc) talking about the threats and exploitation in progress. What the he** is his definition of 'imminent threat'.

Unbelievable that something so irresponsible would be posted by MS. I'm no MS basher normally but their handling of this latest security issue has disappointing...until Thursday when the patch was released (thank god we have one now).

/note: please dont let this start a MS bash thread. I just couldnt believe what I read and was wondering if anyone had any thoughts/comments.