Anti-Virus May Prove Insufficient in Battling Zero-Day WMF Exploit; PatchLink Makes Third Party Patch Available to Protect Its Customers.SCOTTSDALE, Ariz. -- PatchLink Corporation, the global leader in security patch A fix to a program that eliminates a vulnerability exploited by malicious hackers. See vulnerability and patch. and vulnerability management solutions, today issued a temporary third party patch and Knowledge Base Article 290 as an option for protecting networks against what's being called the worst Microsoft vulnerability in the last 18 months because of the rapidly spreading zero-day threats in the wild exploiting it before an official patch is available. Microsoft plans to issue a patch for Windows Metafile The native vector graphics file format in Windows. Windows Metafiles also can hold bitmaps and text. The original 16-bit format uses the .WMF file extension. The subsequent 32-bit format, which supports more sophisticated graphics functions, generates .EMF (Enhanced MetaFile) files. (WMF (filename extension) wmf - The filename extension for a Windows Metafile. ) vulnerability next week during its monthly Patch Tuesday The day Microsoft releases new patches for Windows, which is the second Tuesday of the month. Also called "Black Tuesday." See patch. . In the meantime Adv. 1. in the meantime - during the intervening time; "meanwhile I will not think about the problem"; "meantime he was attentive to his other interests"; "in the meantime the police were notified" meantime, meanwhile , PatchLink has made available a third party patch as an option for IT administrators using Windows operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. who don't want to wait until the official patch is released. This is a SANS recommended temporary third party patch that can be applied as a short-term remediation for zero-day threats. The patch comes on the heels of a new wave of attacks exploiting the vulnerability in the way versions of Windows from 98 through XP handle malicious files in the WMF. The vulnerability could allow an attacker to execute arbitrary code In computer security, arbitrary code is executable code introduced externally that runs despite the intent of the original programmer. The code is injected into a currently-running application or its memory space, thus making the application execute the code. on a user's computer by hosting a specialty crafted WMF image on a malicious web site that can lead to total system compromise, and the need to completely rebuild impacted systems. Chris Andrew, vice president of security technologies for PatchLink, stated: "Anti-Virus programs use pattern matching 1. pattern matching - A function is defined to take arguments of a particular type, form or value. When applying the function to its actual arguments it is necessary to match the type, form or value of the actual arguments against the formal arguments in some definition. to recognize exploits and stop them. Unfortunately it only takes 15 minutes for a virulent exploit to spread across the global network; AV vendors take between two and 12 hours to update their virus definition files. While AV is a good cure for removal of infections after the fact, the only way to truly stop new exploits from penetrating your defenses is to patch and lock down your systems prior to an attack based on the latest threat intelligence." The WMF vulnerability can get into a system via any browser, mail program, removable media In computer storage, removable media refers to storage media which can be removed from its reader device, conferring portability on the data it carries. A removable drive is a reader device for such media. , etc. From internal testing, PatchLink has discovered that existing exploits will require a complete system reinstall To go through the installation process once again, because files have become corrupted. See reload. if infection actually occurs. PatchLink recommends organizations follow patch management The installation of patches from a software vendor onto an organization's computers. Patching thousands of PCs and servers is a major issue. A patch should be applied to test machines first before deployment, and the testing environments must represent all the users' PCs with their unique best practices which include thoroughly testing the third party patch within their IT environments before deploying massive installation to ensure all systems are effectively protected until the official Microsoft patch is released next Tuesday. PatchLink highly recommends that PatchLink customers deploying this temporary patch carefully read and follow instructions listed in the Knowledge Base Article 290: http://www.patchlink.com/redirect.asp?IDr=152&IDd=300. "While temporary policy lockdowns are the only true protection against known threats with active zero-day exploits in the wild, we've issued this interim patch to provide IT administrators more options to protect their networks prior to Patch Tuesday. It is better to use the Internet without pictures for a while, than to take down your entire corporate network," said Andrew. "Best practices approach is for IT administrators to ensure all of their networks are truly ready and able to deploy remediation of this kind quickly and effectively across all workstations and servers in their control," said Andrew. "Also, after the patch deployment, they should check to make sure all nodes are covered and find new systems that fall outside of the policy." SANS predicts that 2006 will bring a rapid increase in the number of zero-day exploits out in the wild. With vendors still taking 30 to 120 days to build and test a patch for even critical vulnerabilities and the overflow of vulnerabilities that weren't patched last year, the industry is falling behind in patch creation and application. As a result, more holes are being left open in the most commonly used operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. and applications than ever before. IT administrators should take a hard look at how they are detecting vulnerabilities, managing the remediation process and establishing and enforcing strong security policies in the networks that they manage. For more information on downloading the third party patch software, visit: http://handlers.sans.org/tliston/WMFHotfix-1.1.14.msi. For more information on PatchLink's Knowledge Base Article 290, visit: http://www.patchlink.com/redirect.asp?IDr=152&IDd=300. For more information on Microsoft WMF, visit http://www.patchlink.com/support/ms_wmf.html. For more information on the Microsoft Security Advisory, visit: http://www.microsoft.com/technet/security/advisory/912840.mspx. ABOUT PATCHLINK CORPORATION PatchLink(TM) Corporation is a global leader for multi-platform, multi-vendor security patch and vulnerability solutions provider with offices in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , Australia, Hong Kong Hong Kong (hŏng kŏng), Mandarin Xianggang, special administrative region of China, formerly a British crown colony (2005 est. pop. 6,899,000), land area 422 sq mi (1,092 sq km), adjacent to Guangdong prov. , Singapore and the United Kingdom. Providing a highly scalable, extensible, multi-platform technology for network security, including endpoints, PATCHLINK UPDATE(TM) gives customers access to the world's largest repository of tested security patches and mis-configuration updates for deployment across the enterprise. (C)2005 PatchLink Corporation. All rights reserved. PatchLink, the PatchLink logo, and the PatchLink product names and logos are either registered trademarks or trademarks of PatchLink Corporation in the United States. In addition, other company names and products mentioned in this document, if any, may be either registered trademarks or trademarks of their respective owners. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion