The WMF shindig: celebrating zero-day new year presented at Virus Bulletin 2006

by Pukhraj Singh (Third brigade vulnerability labs),

Tags: Security


Summary : The Windows Metafile Arbitrary Code Execution vulnerability (MS06-001) has set new
benchmarks in zero-day vulnerability disclosure and proactive malware defence. With
numerous versions of malware based on the vulnerability already circulating in the
wild for a long time, the release of a public exploit with no official patch in sight suddenly
escalated the situation gravely with many security pundits citing a doomsday scenario
The biggest challenge for vulnerability research teams was to provide a foolproof
solution which encompassed a generic defence against the vulnerability, keeping in
mind the uncountable versions of the malware popping out every second which had
already made many security products go berserk. Should the protection be network-based or host-based?
What level of protection should we add, keeping in mind the chances of false positives and false negatives?
How can we tackle the IDS/IPS evasion techniques?
What is the local protection we can add?
Can we emulate the yet-to-be-released Microsoft patch in advance?
These were the questions which had become the burning issues on the conference tables of
vulnerability research labs all across the globe.
This presentation will give you a highly technical insight on the vulnerability, the
solution, aftermath and the lessons learnt. A minute-by-minute recollection of an
unforgettable new year.
[1] The WMF Timeline:
October-December 2005: Numerous versions of the private exploits were circulating in the wild already. The Russian Mafia was selling ready-to-run malware versions for $4000.27th December 2005: The vulnerability details were disclosed publicly on a mailing list and working exploit was released. 29th December 2005: Microsoft confirms the vulnerability, but no patch in sight. Numerous versions of the malware popping out every minute.31st December 2005: Ilfak Gulfikanov, an independent researcher, releases a unofficial patch for the vulnerability. 5th January 2006: Microsoft breaks out from its patch release cycle under pressure and delivers the fixes.