** HEADS UP ** IE vulnerability. EXTREMELY CRITICAL.

[nihil]

Well, he would say that wouldn't he. But, if it were true, why would MS issue the patch out of schedule?

They must be totally embarassed that a third party provided a fix before they did

I think that Tiger~ has a good point a few posts above. How many machines have already been compromised?

Will your anti-malware pick up the payloads whatever they might have been?

Sure, some AVs were picking up attempted attacks before the patch, but how many did they miss?

[Agent_Steal]

But, if it were true, why would MS issue the patch out of schedule?

[1]

Microsoft originally planned to release the update on Tuesday, Jan. 10, 2006, as part of its regular monthly release of security bulletins, after testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.

[1]
Microsoft Releases Security Update to Fix Vulnerability in Windows

....

[MrLinus]

Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.

Uh huh. And what about customer sentiment about other releases being critical to release earlier??

This makes it sound like this is the only one that customers/consumers were concerned about.

[ric-o]

This all just seems like a feeble attempt at managing an embarrasing public relations situation...and hence all the downplaying of this vulnerability. Which again is totally and utterly irresponsible by MS.

Nihil/Tiger: Frightening prospects...thousands/hundreds of thousands of PCs infected prior to patch release and especially concernful given the 2nd round of exploit code FrSIRT posted that can morph in ways to avoid AV sigs.............sigh.

Those of us responsible for more than a couple computers could be in store for many weeks (months?) of responding to 'strange' incidents.

[Tiger Shark]

Those of us responsible for more than a couple computers could be in store for many weeks (months?) of responding to 'strange' incidents.

That _should_ be your normal stance. I look every day for abnormal traffic and activity.... ISC are asking for people who noticed this exploit before Dec. 1... That's a little scarey.... Time to take another look through the logs....

[ric-o]

Originally posted here by Tiger Shark
That _should_ be your normal stance.

Oh I know...and it is. My statement had to do with all the machines that got infected prior to signatures were released and also in response to that same SANS statement.

Like I said earlier, any machines infected with that 2nd set of exploit code (the one that can morph) may never be detected...well unless they become very _chatty_ or attempt to use non-standard ports.

Anyone find any infected machines that had listening ports on any non standard ports? Maybe we could scan our machines for these. Maybe I'll grab some of the sploits and intentially infect a couple machines and scan them. If I find anything I'll share. Let's share intel here...

[Gir]

Ok, this is a lil late and a tad off topic. I know that a .wmf with a changed extention will normally be translated and cause issues in general but does it affect firefox.

[ZOverLord]

I think what's very important to note is that DEP in some cases can SEEM like it saves unprotected systems from this exploit. This is because when one of these files is SERVED via the Internet, it requires RUNDLL32.EXE to help launch the exploit ("In some cases, there are MANY Payloads Possible") so DEP can sense this and stop this, however IF one of these files somehow make it to your hard drive, on uprotected systems, they can LAUNCH without the need of RUNDLL32.exe.

Some may ask "Well How could they make it to the hard drive?", the simple answer is via some kind of Download, for example contained in a .zip or .rar file.

If in fact this happened, the simple ACT of looking at the files contained in the folder which they were located in ("On an uprotected system") can/could launch them, and there is NO requirement for thumbnail view to be on for this to happen.

This is why it is so important to test on unprotected systems both On-Line and Offline.

These test files show this:

http://www.antionline.com/showthread...hreadid=273053

[DjM]

We may not be out of trouble on this yet gang, this was just published at SAN's:

Published: 2006-01-09,
Last Updated: 2006-01-09 18:27:08 UTC by William Salusky (Version: 1)

We had hoped the chapter on WMF exploits had finally been closed, pending the patching of countless millions of vulnerable workstations of course. However, today we were forwarded a Bugtraq disclosure of two additional functions vulnerable to memory corruption attack within the Microsoft graphics rendering engine. The flaw reportedly affects the 'ExtCreateRegion' and 'ExtEscape' functions and while there has been no current proof of concept exploit/DoS code publicly released we will be watching this issue closely.

reference: http://www.securityfocus.com/bid/16167 (Sorry, you have to cut/paste).

Cheers:

[Deeboe]

Gir, in response to your post:

Originally posted here by Gir
Ok, this is a lil late and a tad off topic. I know that a .wmf with a changed extention will normally be translated and cause issues in general but does it affect firefox.

Third post of this MASSIVE thread:

Originally posted here by Deeboe
According to F-Secure's blog "Firefox users can get infected if they decide to run or download the image file.

-Deeboe