At the end of the day I finally recieved a notice from US-CERT (http://www.us-cert.gov/cas/techalerts/TA05-362A.html)
Not all anti-virus software products are currently able to detect all known variants of exploits for this vulnerability. However, US-CERT recommends updating anti-virus signatures as frequently as practical to provide maximum protection as new variants appear.
US-CERT is tracking this issue as VU#181038. This reference number corresponds to CVE entry CVE-2005-4560.
Got that? This is VU#181038, filed under CVE-2005-4560 and available online as TA05-362A. Roger that.
Anyway, they supported the recommendations by F-secure and Sunbelt:
- Do not access Windows Metafiles from untrusted sources
- Block access to Windows Metafiles at network perimeters
- Reset the program association for Windows Metafiles
I had a brief discussion today with some admins and told them I disagree with the latter recommendation. No one seemed to object, perhaps because it would be such a royal pain to implement thoroughly and it might not even be effective, but who knows at this point. So we’ve rolled out the top two (plus HTTP and SMTP filtering) and are observing traffic.
I posted some of the same info over on Bruce’s blog…