Latest report is that the exploit installs if you even download or index an infected WMF file. In other words if you use Google Desktop, which automagically touches your media files, then your system will be trojaned faster than you can say “how convenient”. No known patches are available.
F-secure, as usual, is ahead of the game with a new signature that detects the three variations already in the wild. They also have a pointer to Sunbelt who has a link to BugTraq.
Sparse information so far, but the early responders seem pretty concerned and recommending that WMF be filtered and/or all traffic be blocked to the following sites:
This seems far more serious than a Saudi teen winning a secular talent competition, so let’s hope someone higher-up issues the appropriate fatwa and/or is able to shutdown or block traffic at the carrier level.
Reuters said on Monday that a second telecom company in Saudi Arabia will block SMS messages intended as votes for a TV show:
Saudi religious scholars last May condemned the hugely popular talent show aired by Lebanese channel LBC as a crime against Islam when a young Saudi returned to a hero’s welcome after winning in the Lebanese capital Beirut.
The Saudi Telecommunications Co. (STC) made an announcement last January that it would block the messages, based on a religious decision made the prior year. The only other cell company in the country, a UAE-based consortium called Mobily (Etihad Etisalat), is finally following suit:
“We will definitely lose money, but how much, I don’t know,” [Mobily spokesman] Alghodaini said about the decision. “If we don’t (stop messaging) it would backfire on us and affect our brand.”
So, the carriers have been prohibited from profits related to the show, which does not stop the show or other forms of voting. Moreover, this certainly raises an interesting dilemma since the content of the message itself is not the problem but rather the intent of the sender to participate in a form of communication deemed objectionable to the religious leaders. And that kind of standard makes violations hard to find, let alone block.
Here’s a funny new trend in announcing software to your users. “Microsoft Messenger 8 has not been released”. In fact, you may even want to say “If you see a file called BETA8WEBINSTALL.EXE (or an obvious variation/advertisement) then please ignore.”
Even the old saying “patch early/often” can and will be held against you by the clever worm and virus authors.
The past decade has been tough – the security industry has lost its way. At one point we had no security; now there’s too much. This has been the era of security getting worse and worse. Today there’s too much software from vendors that needs to be patched. There are viruses and worms and spam and firewalls…carriers need to be doing security for the endpoints.
The theory is that a central entity can do a better job filtering the data to detect anomalies, and that the end users can not all afford to specialize in security.
But how do we know that AT&T has a security baseline that is consistent with ours as end users? I agree with Ed that the most basic threats should be removed by the carriers (like the centrally-controlled conditioning that removes big spikes and sags from the power lines), but do not see how he can get around that fact that end users will always have vastly different risk models that need individual solutions. Some of us still buy small UPS, some big, and some go with multiple UPS plus generators. That doesn’t mean we don’t think that the power company shouldn’t be liable for outages, it just means we don’t all address the same risks let alone agree to a universal fix.