While all of the rest of us were sleeping, it appears that the propeller-heads working on Billy Wonka's Official Microsoft Research and Development Team have been hard at work creating a crystal ball capable of foretelling the future. The only problem: it appears that they made it from rose-colored crystal.
Comments? Send them to overflow at sipr dot net
In their rosy vision of the future, over the next seven days, nothing bad is going to happen. The fact that there are point-n-click toolz to build malicious WMFs chock full o' whatever badness the kiddiez can cook up doesn't exist in that future. The merry, lil' Redmond Oompa Loompas are chanting "Our patch isn't ready / you have to wait / so keep antivirus / up-to-date" which makes perfectly accurate, current AV signatures appear on every Windows computer - even those with no antivirus software.
The future, according to Microsoft, is a wonderful, safe, chocolaty place.
Read the rest of Tom Liston's famous diary at http://isc.sans.org/diary.php?storyid=1011
Comments from avid Internet Storm Center readers
I find it hard to understand why some people would have "unflattering" comments about the ISC or the Handlers, you folks obviously care deeply about helping to keep all netizens accurately informed about the issues that could affect all of us, and show profound dedication by giving of yourselves day after day after day. When the WMF issue was disclosed, not only did my company not hear anything in the way of a warning from Microsoft, we couldn't even get a worthwhile response to questions from "Premier Support" (which we pay dearly for). Ostensibly this was because of the holidays, but the Handler's were there, as always, and the information they provided was invaluable (as always). Hopefully you guys can take any critics spewing venom with a grain of salt, because as we all know; those that can't do, teach, those that can't teach, manage, and those that serve no worthwhile purpose, critique. ;]
Thanks again for all your hard work.
A hearty thanks for all your work and advice.
I am an IT manager of a small college. As the university is a highly distributed environment [in finances, responsibilities and resources] each of us 'geeks' must make our own decisions for our own college/faculty. I chose to install the unofficial patch and deregister the shimi..shami. I did it early on, on new year's in fact. I found it helpful and have observed no ill-effects. I now feel no great rush to install the official patch.
I have checked your site silently for years, and have always found good information there.
Again, Many thanks.
I wouldn't really think about applying the un-official patch. But, I did put the home PC off limits until the patch was out. And I did modify my hosts file. (This brings up an interesting question - If my host file is "pseudo blocking" undesired destinations - are these outbound attempts being logged any where? I would be curious to see just how many "undesired" sites that my host file is blocking.)
I agree this was all handled very well. I'm happy MS released early - but - they should have had a patch out way sooner than they did.
Many Superdiduper thanks to all the AV vendors and SANS for a job well done.
I want to express my sincere thanks for the courageous and untiring efforts of ISC's handlers over the past week. While I, too, was a bit worried about installing an unofficial patch on the business network I administer, I felt better knowing that the trustworthy ISC Handlers were watching my back (and front). I installed version 1.2 and then went around and removed that and installed 1.4 of Ilfak Guilfanov's patch on our office machines, assured that your stamp of approval was backed up by the best analysis available on planet Earth.
I wish I could take apart code like you can, but I'm blessed to have ISC informing me and then going the extra kilometer to give me the tools to do something about the problems about which you warn us! Keep up the great work!
Personally I thank you for the "unofficial" patch.
It was used throughout our organization, which allowed me to move on to other issues, with a more secure feeling.
I should like to take the opportunity on behalf of ourselves and all of our customers to extend a huge ‘thank you’ to all the staff, volunteers and contributors that worked so hard to keep us so perfectly informed as to what was happening during this issue.
Over the holiday period it must have been gut-wrenching to have to deal with something like the MWF vulnerability, and the time and dedication you showed only goes to prove the worth of the ISC.
The biggest contribution made by the ISC was, without a doubt, that of offering your readers a ‘choice’. No one was being forced to follow the suggestions you guys made and apply an unofficial patch yet it was fully tested, verified and made freely available. Just having that choice available must have been an enormous relief to your readers during the period we were all wondering when/if an official patch would turn up.
I should not like to speculate as to whether the ISC had any influence on Microsoft to release their patch ahead of their original projected date but I should like to think it did!
Please, please, ignore any negative response you get over this issue and continue to supply us with the high standards of information and support you have deservedly built your reputation on.
I applied the interim patch for the WMF vulnerability both at work and at home. I then backed out those changes when MS came out with their fix.
You people do an excellent job, I visit your site every day. It's informative, mostly objective ;-) and very useful.
Keep up the excellent work!
All I can say is thank you from myself, and, yes I installed the unofficial patch as soon as possible , in fact his original from hexblog before it was tested by everyone , on ALL of the machines in my care that run XP, and the tested version on the Win2K ones, as a side note since installing the officially sanctioned one some machines running the seamonkey beta on both the W2K and XP platforms can no longer use gaim whilst running seamonkey, I will try and figure that out as the days progress because we saw no issue whatsoever with the unofficial patch.
I agree completely with today's handler update. It IS all about the risk that each of us is prepared to take with the infrastructure that we support.
There were indeed many comments both for and against the unofficial patch. Some were passionate about their position and their opinion. The discussion, the sharing of ideas and the pooling of information are what are so very important in determining the level of risk that we are prepared to take. The perspectives and experience provided by the handlers pooled together and shared in the ISC allows us to make the best, most-informed decision for our own organization.
Ultimately, it becomes a decision taken by each individual or organization.
In my opinion, the Internet Storm Center provides me with the best (most in-depth, most honest) information to allow me to make a decision that meets the needs of our organization. You people have done a SUPERB job throughout this situation. Please, please, please keep it up for all of us.
Thanks very much.
With respect to the "It is all about the risk" posting, I just want to thank you and all the other contributers involved in the WMF vulnerability discussion.
What I found to be most valuable was that the ISC provided all the information needed for me to make informed decisions on how to address the issue, both at home and at the office. Based on the information provided I was able to monitor our network and take other precautions. Although I didn't deploy the unofficial patch, it was waiting in the wings for the first confirmed sighting in the company and ready to deploy at a moments notice. Just having that as a safety net did much to reduce my stress levels. It would not have been possible without the hard work of all the handlers.
Thanks so very much.
At least the year 2006 starts pretty interesting and I thank you very much for collecting and providing all that information and for working on weekends and during holidays.
From the security company we normally get our system-filtered security notifications there was nothing at all about wmf, so the ISC brought my attention to that issue and although we could not roll out the inofficial patch we managed to block the IPs you suggested and warned our users (I know it is not much, but alone that was 24 hours of work to get all the approvals).
Even if there is not yet a really big payload in all that wmf-exploits it at least gave us just the right management attention to start the year!!!
So that my Incident Handling team could say "hey, we are still here and paying attention to what is going on outside, do not forget us!".
First and foremost it helped because we could notify management before the press made a real big thing out of wmf.
So, as Ed teaches "do not be scared to be the first who cried wolf" ;)
Thank you so much!
Warm regards from Germany!
"You'll dress only in attire specially sanctioned by ISC special
services. You'll conform to the identity we give you, eat where we tell
you, live where we tell you. From now on you'll have no identifying
marks of any kind. You'll not stand out in any way. Your entire image is
crafted to leave no lasting memory with anyone you encounter. You're a
rumor, recognizable only as deja vu and dismissed just as quickly. You
don't exist; you were never even born. Anonymity is your name. Silence
your native tongue. You're no longer part of the System. You're above
the System. Over it. Beyond it. We're "them." We're "they." We are the