That was it; SANS
http://handlers.dshield.org/jullrich/wmffaq.html
So it can even get onto 'Trusted' websites.
(At least they are saying they had a 'report').
Digital whispers....
Regards
Murad Talukdar
-----Original Message-----
From: Brady McClenon [mailto:BMcClenon@uamail.albany.edu]
Sent: Saturday, January 07, 2006 2:29 AM
To: Drew Simonis; Thor (Hammer of God); Erin Carroll;
pen-test@securityfocus.com
Cc: Larry Seltzer; focus-ms@securityfocus.com
Subject: RE: New article on SecurityFocus
Just curious. I hear media reports and people saying that there's
hundreds or thousands of compromised web site from this, but I have ask
where these numbers come from? Where is this data, or is it pure
speculation? I'm also curious how one could compromise a web server
with this exploit. Putting files on a web server to dole out and
compromise other computers I can see, but is the web server really
compromised in this case? If so, was it by way of the WMF exploit?
One last question: Has anyone here experienced or know anyone that has
a "legitimate" web server compromised (or serving out) by the WMF
exploit. I'm trying to determine if there are those with actual
knowledge that the sky is indeed falling, or if we are all shaking over
unsubstantiated media hype.
-----Original Message-----
From: Drew Simonis [mailto:simonis@myself.com]
Sent: Friday, January 06, 2006 10:22 AM
To: Thor (Hammer of God); Erin Carroll; pen-test@securityfocus.com
Cc: Larry Seltzer; focus-ms@securityfocus.com
Subject: Re: New article on SecurityFocus
Overall, I think community's coverage of wmf has been delivered
with an ounce of perception, and a pound of obscurity. It's almost
as if people *want* it to be worse than it is. I'm not surprised,
of course. But regardless, my call is that we'll see a little
activity here and there, the patch will come out, most will install
it (or have it installed automatically) and the whole issue will
fade away. But that's all.
We'll know for sure shortly, either way.
Thor,
I think your path of thought is stuck a bit in the past.
Worms are neat as a technical exercise, but we see more and
more that the attackers are increasingly aware of the value
of these vulnerabilities from a financial perspective, not
merely for notoriety. As such, it benefits the attacker to
have a less subtle attack, one that does not sensationalize
the vulnerability. Complacency is their ally.
That said, there are already numerous (hundreds+)
"legitimate" web sites that have been compromised and had
exploit images injected into their content. There are also
already hundreds of thousands of machines that have been
infected with Trojans or bots. These infected machines will
patch, but they won't be safe, and the problem gets worse.
So no, there won't be some catastrophic worm event. But I
posit that what there will be could be much worse.
--
___________________________________________________
Play 100s of games for FREE! http://games.mail.com/
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
