Category Archives: Security

function key of death

This news story is quite sad. A high school student discovers that enough people pressing the F5 key while on the school website causes a Denial of Service (DoS) condition, perhaps even on the school’s “system”. Alas, being a typical high school kid, he tells all his friends to give it a try at the same time.

What’s the response?

“It’s a crime and it is important we take this seriously … especially for school officials … it could have done a tremendous amount of damage,” said Canton City Prosecutor Frank Fronchione.

Ok, but let’s be Frank about this. I bet the prosecutor probably broke the speed limit on the way to work that morning, which also could have done a tremendous amount of damage, but mild speeding has not been established as a felony (yet?). So what’s the “reasonable” level of damage and the “reasonable” response? Can Frank explain the risk calculation that has been used to suggest that a “tremendous amount of damage” is even remotely likely, or that the remediation of the hole would cause duress? I’m not defending the student, just wondering if some of the key details of the story are missing.

My guess, based on the over-reaction of the school to the attack, is that this is one of those cases where the kid was already marked as some kind of trouble-maker with a prior record and the school has just been looking for the right function to get him out of their hair. But the details are sketchy and prosecutors are known to blow things out of proportion in order to establish a favorable bargaining position for their client.

Apologies for the puns…

WMF patch details

Get ready to reboot all your XP, 2003 and 2000 systems.

Surprised? Ah, remember the lavish Windows 2000 launch parties when we were all told “rebooting will be a thing of the past” and “only six (kinds) of reboots will be necessary, down from six-hundred in NT4”.

Maybe I’m exaggerating a little, but my point is that this is a major inconvenience in order to fix a minor convenience that most people aren’t even aware of in a large enterprise. It just gets uglier since we are looking at a reboot of critical services when they are supposed to be up all the time and generating revenue — who wants to tell management “we had to have a maintenance window this weekend because of some picture rendering code on the console”. Well, it has to be done.

So far we believe the update changes the following registry keys:

    HKLM,”SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB912919″
    HKLM,”SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB912919″

And the following files get touched:

    Windows Server 2003 will replace Gdi32.dll
    Windows XP will replace Gdi32.dll and Wgdi32.dll
    Windows 2000 will replace Gdi32.dll and Mf3216.dll

Which makes me say…

Patch released early
safer code rolls out to disk-
  why must I reboot?

Note: Never rely on the registry keys alone for proof of a patch since someone could obviously stuff the registry…

Microsoft announces WMF patch

Great news. At 2PM today Microsoft will officially release its patch for the latest WMF exploit, which is nice of them to do ahead of time. It’s already available here:

http://www.microsoft.com/technet/security/Bulletin/ms06-001.mspx

Microsoft will hold a special Web cast on Friday, January 6, 2006, to provide technical details on the MS06-001 and to answer questions. Registration details will be available at http://www.microsoft.com/technet/security/default.mspx.

We’re actually reviewing deployment details now, as well as moving further ahead with the other preventive/detective measures already underway.

Incidentally, 4PM (-8 GMT) is the anticipated Sober explosion, but I’ve watched an incredibly exponential spike (2000%) in sober payload since Dec 28th, suggesting that the two issues may be closely related…all the more reason to get things under control right now.

WMF Update

I guess this is one of those moments where I get to say thank you to those who were the true early responders. Thanks to you I was able to make an accurate as well as timely estimate of the risks and I helped many others take early preventive action. Feels good to have provided a useful service that lowered risk way ahead of the curve.

With that in mind I just received confirmation directly from Microsoft that they have been working on ISPs to block or even shutdown sites known to be hosting the WMF exploit code. They also said that a patch may be possible prior to Tuesday, but that doesn’t honestly impress me much since it’s already Thursday, Jan 5th and the hole has been on our radar since at least Dec 28th. I’m not going to look a gift horse in the mouth, so to speak, but we practice defense-in-depth because a patch from the vendor is just one of many controls that need to be in place. Patching a few days early would be great, but I have been holding most systems out from hexblog (except in isolated cases) because of the percieved higher value of rolling thousands of patches cleanly with no side-effects. Risk and trade-offs, eh? So far so good.

MS also mentioned that their security team is trying to put together a list of sites to block. Well, I think many of us have been doing that ourselves since the 28th as well as monitoring traffic based on a set of open-source rules available since the 30th. So I welcome the update from MS, but my guess is that they are tapped into the same sources we are and will just add polish to an otherwise excellent effort by the security community at large. Not so much a value-add as a, “really, you too, no kidding?”

And that just reminds me of the early 1980s when Gates was famous for railing against the BBS operators and public disclosure forums as wasteful amateurs who were harmful to the market. He might want to take a moment and apologize (or maybe even donate to open-source efforts like snort) since it is exactly these community and non-profit forums that have been most helpful in protecting our Windows systems from disaster these past two weeks. Thank you to those who provided the real alert and have been working on this with me in advance of our “official” meeting with Microsoft today.

I had some other questions for Microsoft that they seemed unable to answer, but they said the security team will be calling me back to discuss further. In a nutshell, they’re getting ready to issue a preventive control update, but at this point we’re up to our eyeballs in preventive controls and need to validate the detective end of the spectrum to assess the success of the patch. Trust, but verify, right?

Oh, and I have to admit that we have one confirmed case of One Care cleaning the WMF exploit from a test system, which is very heartening, but I also have to say that the discussion immediately afterwards turned to “Have you tried Vista? No you should test it. No way man, you should test Vista. Not me, I just bought a Mac, you test it…”