I have gotten a few people up in arms about my comments regarding Secunia’s "Extremely Critical" Windows Metafile advisory today. Here’s what I said:
Although Secunia deemed the flaw highly critical, at least one security researcher was dismissive of the bug’s severity. Pete Lindstrom, research director for Spire Security LLC, said that at this stage in the game, anything that requires user interaction is hardly worth notice.
"There’s no such thing as ‘extremely critical’ when user interaction is required," Lindstrom said. "That’s just silly."
I’d say that is fair at this stage of the Internet’s evolution. Anybody who is indiscriminately clicking on things doesn’t read advisories anyway and is likely infected with many other trojans/bots/malware. Here was one response in the article (bold emphasis mine):
But as far as using IE goes, download of malicious software is automatic, happening immediately upon going to the site, pointed out Alex Eckelberry, president of Sunbelt Software.
"There is no user interaction required," he wrote in an e-mail exchange. "You hit the Web site, you get hit immediately. No prompts, nothing."
So, he is saying there is no user interaction after the user interaction. Curious.
Anyway, it typically requires what I would call a form of automated social engineering to engage. The easiest test for this is if changing user behavior solves the problem. In this case, I believe the answer is yes.
This gets us to the "extremely critical" rating which I just find funny – sort of like the "triple dog dare" in A Christmas Story. At some point we’ll need to change the ratings in order to maintain the appropriate level of FUD (we are all getting used to current levels such that they are losing their FUDness). Maybe "Dog," "Double Dog," and "Triple Dog" are good possibilities?
Btw, here is my recommendation:
Lindstrom noted that the long-term answer to dealing with what he called this type of "flotsam and jetsam" of constant security alerts is to install host intrusion prevention software to designate what software is allowed to run on a system and what it’s allowed to do.
As far as the short-term response to this particular vulnerability goes, Lindstrom echoed Secunia’s advisory when it comes to untrusted files: "Don’t click on it," he said.
(Yes, I know this stuff is still a problem. We just need to start thinking about it differently. Don’t we?)
I don’t buy it… since your defense of “simply not clicking on that you don’t know” does nothing should this infect “innocent” websites on the net, or reside on some file of an internal server somewhere.
The step from step from deliberate sites infecting this to “trusted” sites potentially doing it seems smaller than a potential mutation of the bird flu.
If the only defense is “don’t go there,” your trusting the other guy to not hurt you. There’s virtually nothing the end user can do save disabling certain features. When faith on the webservers virtue is your advice on how to avoid this “funny they call it extreme” vulnerability, well that seems to be a pretty big problem.
@lemming -
I think the likelihood of some “trusted” site becoming infected is fairly low. Staying infected is close to zero (someone would scream fairly quickly). Sure, it could happen, but this isn’t really the type of thing you can hide all that easily.
It is worth noting that this malware doesn’t have to propagate via the Web, but I can’t come up with a legitimate way to infect someone that doesn’t involve one or more clicks.
I think basic protection is fairly straightforward – I just went in and disabled my .wmf file association so that it would require (at least) two clicks to view a file. It may have a significant impact for those folks who use .wmf files quite frequently, I suppose.
I guess my real problem is that an “extremely critical” rating leaves no room for differentiation of threats that I consider much more significant – in particular, worms like Blaster and Slammer.
Note as well that my final recommendation is much more important than simply “not clicking,” it involves a new (for some) way of thinking about the problem – host intrusion prevention.
This doesn’t sound right. As noted elsewhere, you get burned if Google Desktop indexes a file containing the exploit.
So, while you’re away from your PC, somebody sends you an email with a bad WMF as an attachment. Google Desktop will index it immediatly and you get infected totally automatically. Sounds like no user interaction to me.
@John -
That is a reasonable scenario; one worth being aware of. Regardless, I still believe it is pretty unlikely, or at least a lot less likely than my aforementioned Blaster/Slammer examples. (In my mind, that is the real problem – we had some pretty serious worms in the past and people are now trying to re-orient consumers to be more afraid of less significant problems.)
If you have to build a multi-step scenario for it to work, then it just doesn’t ring “extremely critical” to me… you are welcome to describe these circumstances (as has occurred) and suggest that under these constraints, it is “extremely critical,” just don’t suggest it to the world when the majority (by far) is highly unlikely to be affected.
As far as a solution is concerned, simply removing .wmf associations should solve the problem (maybe not for the Google problem). If that doesn’t work, there are registry settings and DLLs that you can change. I suspect antivirus software can be effective here as well.
And remember, don’t surf to the four websites that are affected and don’t set Google desktop to automatic.