InfoCon: YELLOW
Monday, April 02, 2007
The SANS ISC InfoCon (if you aren't familiar with it, think of it as a "Terror Alert Status" for the web...oh, and it actually changes and relates to actual events, so they're not necessarily synonymous...), has been changed to YELLOW on account of exploitation of the new ANI vulnerability that entered the scene on Friday. Using a specially-crafted animated cursor, an attacker can use e-mail, web, or Windows Explorer to execute arbitrary code. In addition, a worm has been making the rounds that exploits the vulnerability (more here and here). You can find the original CERT advisory here, as well as a list of affected mail clients and their respective vulnerability levels from the ISC here. ISC's description of YELLOW status is:
We are currently tracking a significant new threat. The impact is either unknown or expected to be minor to the infrastructure. However, local impact could be significant. Users are advised to take immediate specific action to contain the impact. Example: 'MSBlaster' worm outbreak.
Seems that this 'sploit is worrisome-enough that Microsoft will be releasing an out-of-cycle patch for it come tomorrow (Tuesday). If that's the case, expect a return to Green soon thereafter, save for the poor sots who don't have Automatic Updates, or at least notification thereof, on and configured. However, until then, it's essential to continue with best practices, including NOT VISITING SPAMMED LINKS (c'mon, folks!), keeping your AV active and up-to-date, and, if you're that concerned, consider implementing the Zeroday Emergency Response Team's (ZERT) unofficial patch, with the caveat that it's just that: unofficial. Use at your own risk.
An interesting look at creating a 0-Day signature for the attack is available over at Errata Security.
Hunker-down for the day, take care while visiting your daily spams for deals on vIaGgr@ and C!@li$$, and turn back-on and update your AV that's been gathering dust in the taskbar. You won't be sorry. (Though, if that was the case, you may already be in a world of hurt...)
- David
posted by David @ 11:45 AM,
