WMF: Good news and bad news

Looks like Mike McBride over at Out of the Frying Pan, and into the Cube has been been fighting his own battles with WMF.

SANS has posted an explination of the WMF and workarounds here. The good news is, according to SANS, "The Internet Storm Center knows of quite a few goverment and larger organisations that did roll-out the unofficial patch, so your "peers" are might very well be doing the right thing right now."

The bads news is SANS says:

# The usual precautions, such as telling the users not to click or surf to bad sites, updating anti-virus, filtering email, ... will help just like a dop of water helps to fill a bucket. It's just not good enough by far.

* No user interaction is required. This is one of those where the user is a sitting duck, not the offender.
* Many anti-virus signatures still trigger on the payload, not on the call in the WMF and therefore might get a working signature long after you got hit if you are unlucky to get hit early.
* IDS/IPS can be easily bypassed by using off-the-shell tools already available to the bad guys.
* Firewalls will not prevent filesharing once the files are inside.

They also say, "The bad guys haven't released their worst (yet), but we know they have the tools and means to create it and we expect them to do so well enough before the official patches are released next week."

This is going to be a very long week for a lot of users and IT staff.

Tags: WMF, Security