Re: Windows MetaFiles still vulnerable

Author	All Replies
dp Go Steelers Premium,MVM join:2000-12-08 Greensburg, PA ·Verizon Online DSL	reply to redxii Re: Windows MetaFiles still vulnerable Additional info: »isc.sans.org/diary.php?storyid=972 »www.securityfocus.com/bid/16074/info -- Write your questions down on the back of a $20 dollar bill and send them to me
	to forum · permalink · · 2005-12-28 06:03:38 · (locked)
redxii too big to fail Premium,Mod join:2001-02-26 Texas Host: /dev/null Broadband Tweaks Suddenlink ISDN Fiber Optic 1 edit	Kinda funny. I found it out on my own then while I was typing it up other people are in the know at the same time. I did not go to unionseek or heard of it until other people were posting WMF file code execution Except i'm wondering what the hell happened. They released a patch fixing metafile code execution, and two months later we have metafile code execution even with the said patch. Except this time it is actually in the wild. "The issue may be exploited remotely or by a local attacker. Any code execution that occurs will be with SYSTEM privileges due to the nature of the affected engine." Atleast in my testing, this does not appear to be the case. I think they are confusing the fact that most people run as admin, and once the code is executed it creates services that are run as SYSTEM. It for sure died in a restricted account.
	to forum · permalink · · 2005-12-28 06:19:04 · (locked)
beerbum Premium join:2000-05-06 Reading, PA clubs:	reply to dp said by dp : Additional info: »isc.sans.org/diary.php?storyid=972 »www.securityfocus.com/bid/16074/info NAV users there is a new def file out that should catch it... just came down on my live update... »securityresponse.symantec.com/av···.56.html
	to forum · permalink · · 2005-12-28 20:48:08 · (locked)
rds24a Teach Your Children Premium join:2000-12-13 Springboro, OH clubs: ·RoadRunner Cable 1 edit	said by beerbum : NAV users there is a new def file out that should catch it... just came down on my live update... »securityresponse.symantec.com/av···.56.html I would be interested in see if someone with a spare machine can check if NAV actually catches and cleans this. I ran a manual liveupdate even though I already had 12/28 defs and found almost a dozen updates that auto LU hadn't applied. My confidence is low. -- All hail JoePa
	to forum · permalink · · 2005-12-28 22:13:34 · (locked)
catseyenu Ack Pfft Premium join:2001-11-17 Fix East 1 edit	NAV picks it up as of today's update. Calls it Bloodhound.Exploit.56 »securityresponse.symantec.com/av···.56.html Edit: Yes, I've run it on MS VM and NAV picked it up.
	to forum · permalink · · 2005-12-28 22:39:57 · (locked)
antdude A Ninja Ant Premium,VIP join:2001-03-25	reply to rds24a said by rds24a : said by beerbum : NAV users there is a new def file out that should catch it... just came down on my live update... »securityresponse.symantec.com/av···.56.html I would be interested in see if someone with a spare machine can check if NAV actually catches and cleans this. I ran a manual liveupdate even though I already had 12/28 defs and found almost a dozen updates that auto LU hadn't applied. My confidence is low. Or do it in VMware. -- Ant @ The Ant Farm: »antfarm.ma.cx ... Please do not IM/e-mail me for technical support. Use the forum (I check almost daily)! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer.
	to forum · permalink · · 2005-12-28 22:48:18 · (locked)


Friday, 27-Nov 07:05:33	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com.republican-creole page compression OFF