Solved

What are IT departments doing about GDI+ flaw?

Posted on 2004-10-06
19
454 Views
Last Modified: 2010-04-11
The new GDI+ flaw and how to deal with it seems to be a huge task for IT departments. Specially for companies where applications are installed by end users when they need them. There are so many variations of software installed that no one seems to know all answers. For example if you have Office 97 with Outlook 2002 or 2003, what should be updated? Would Office updates automatically take care of these various sofware combinations? as an example the issue of mso.dll and vgx.dll
that GDI scan finds. How are they supposed to be dealt with?
I just can't imagine how this flaw can be dealt with in an orderly and sure way. Please correct me if I am wrong.

thanks.
0
Comment
Question by:mehranalmasi
  • 6
  • 5
  • 5
  • +2
19 Comments
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
We're getting rid of Windoze. SUSE 9.1 Professional and OpenOffice, here we come.
0
 

Author Comment

by:mehranalmasi
Comment Utility
I guess that is fine if you just use Office type apps. Its not so easy if impossible when you use Visio, Project and other programs that businesses depend on for doing work.
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
Ah, yes, the litany of the Microsoftie - "You can't possibly move from Windoze! There's nothing else for X, Y and Z!!"

Pure FUD.

OSS Visio replacement - The GNOME Dia project --> http://www.gnome.org/projects/dia/

OSS Project replacement - The OpenWorkbench --> http://www.openworkbench.org/

Any other FUD?
0
 
LVL 8

Expert Comment

by:Jeff Rodgers
Comment Utility
We use numerous custom applications which have been developed over the course of several years.  There just weren't out of the box applications available for our purposes which meet our process needs.

The movement away from Windows isn't a reality for us... (not without a few semi's full of cash, anyways)

As such we need to stay a Microsoft shop.  This means dealing with the fatal flaws out there.

Our current policys include installing available patches where available, shutting down unneeded services, hardening of servers, and locking down the corporate firewall to allow only the essential traffic.

Is this enough?  One would hope so... but I guess everytime you build a better mouse trap the mouse just gets smarter...

0
 
LVL 2

Expert Comment

by:kitisak
Comment Utility
You should try to use GDI Scanner to scan your machine. You will know that which software has a problem. You can find more information at  http://www.bleepingcomputer.com/forums/topict3077.html
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
"The movement away from Windows isn't a reality for us... (not without a few semi's full of cash, anyways)"

What do you think its costing you in terms of increased hardware costs (at least 2x that of other OSes, including Linux), increased security costs, more personnel, more downtime and more licensing charges? Its probably at least "a few semis full of cash").

But hey, mebbe your company's competitors have figgered that out.
0
 

Author Comment

by:mehranalmasi
Comment Utility
kitisak
GDI scanner on every PC on the company? So if I have 800 PC's I need to do this on 800 PC's? Isn't that unrealistic? I have done some work with apps like Shavlik with limited success. I am getting the sense that this one is not going to be protected well. Even Symantec and McAffee have no solutions for it yet.

PsiCop: Everything is at least half as difficult to setup and configure in Windows than Linux. That is a no brainer and why MS is so successful today. So its less expensive to have things up and running in Windows. The main issue here is the security. I don't thin Linux is more secure. its just not sucessful enough to have lots of enemies.
0
 
LVL 6

Expert Comment

by:knoxj81
Comment Utility
Since your in a business environment, trying to convert windows workstations "win babies" to use linux is impossible.  Sure you might be able to switch some of your mail servers to linux. As far as converting workstations from windows to linux to deal with the GDI+ Exploit, it's just not possible. You have to deal with the time, which you dont have due to the fact there are already numerous exploits that use this GDI+ vulnerability.

So to protect your company from this exploit and future exploits I would do the following.

First, be sure to update your virus scanners, firewalls, etc... I'm affraid all Windows +GDI tool will do, is let you know if your screw or not. Once updated, educate yourself with what your up against.

Here's a link to a security site that shows 2 different attacks that use this exploit:
http://www.k-otik.com/

Here you'll see another: (You'll notice that the file the exploit tries to use are detected by leading AV Programs.)
http://isc.sans.org/diary.php?date=2004-10-05

Now, I would consider creating a LINUX or WINDOWS IDS box or boxes. This will give you the ability to BLOCK all traffic related to this any many other exploits, attacks, virus activity. Now since your in the IT field and this might not be a fast enough solution, I would recommend purchasing a hardware IPS, which would do just fine in blocking this exploit.

Reference:
If you want to know more about IDS and solutions ( free ), please refer to a earlier post on IDS:
http://www.experts-exchange.com/Security/Q_21061304.html

Eeye products: ( both BLINK & RETINA are fantastic leading the market) Offers free 15 day trial.
http://www.eeye.com/html/products/blink/   &     http://www.eeye.com/html/products/retina/index.html

Depending on your budget, this will be more than enough to lock down your network and have the feeling your network is secure. So put the GDI+ nightmare to rest, and enjoy a good nights sleep! I do!

Good Luck,

Jorden

:: Please don't hesitate to ask if you have any questions or concerns ::





0
 
LVL 6

Expert Comment

by:knoxj81
Comment Utility
Since you have such a large network, I would go with the eeye.com, a little spendly but definitly the best, offers full reports, lets you scan the entire network. Only way to go is take the free trail see what it will do on a test box, you'll be a faithful user like our Company.


Good Luck,

Jorden
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
"I don't thin Linux is more secure. its just not sucessful enough to have lots of enemies."

More FUD. Apache is by far the most-successful webserver. Runs 3 websites for every one that IIS runs (Source: Netcraft). Where are all the webserver hacks? Hint: Its not on Apache. Your logic is flawed, almost as much as the Windoze design that runs everything in Ring 0/as root/with full control/choose the OS paradigm you want. Part of the reason that *NIXes tend to be more secure...and they do...is that the OS *design* does a better job of keeping malicious/poorly-written programs from running rampant.

But, as they say, you can lead a horse to water....
0
 
LVL 6

Expert Comment

by:knoxj81
Comment Utility
psicop, stay on topic here. No need to get your panties in a bunch of your apache server.
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
And there's no need for you to make personal attacks, knoxj81. Try to stay professional.

My point is that mehranalmasi's assertion that Windoze is more-attacked because its more widely-deployed is a fallacy.
0
 

Author Comment

by:mehranalmasi
Comment Utility
PSICop
I have my opinion based on my experiences and so do you. I could be wrong or I could be right but I certainly don't appreciate your comments that contain too much of an edge that cancels out any possible content.

You won't be very healthy if you carry this strong bias against Microsoft and then see them at every corner you turn your head at.
0
 
LVL 34

Expert Comment

by:PsiCop
Comment Utility
I carry a strong bias against FUD, such as the fallacy you presented.
0
 
LVL 2

Expert Comment

by:kitisak
Comment Utility
Hi  mehranalmasi,
I am looking forward for GDI scanner for network. I think it maybe be launched soon. If I get it, I will post.
0
 

Author Comment

by:mehranalmasi
Comment Utility
knoxj81
thanks for helpful hints and links. A couple questions:

1- Are our users in relatively safe shape on this issue according to Internet Storm Center's page?
>all our emails are scanned by BitDefender (GFI for Exchange) and all desktops have Symantec's latest def. files (10/06/2004)
To me it translates into no dangerous jpeg will be allowed to users inbox in Exchange and any dangerous jpeg about to be opened will be intercepted by Symantec.

Although all systems will eventually be patched.

2- Does IDS sit on a collusion domain just like an sniffer or edge of an switch?

0
 
LVL 6

Accepted Solution

by:
knoxj81 earned 250 total points
Comment Utility
1 - As, long as your updated I would say your in okay shape. I would run the GDI Scan tool on a few workstations just to see what  programs you are using that might be at risk.

2 - IDS sniffs all packets and monitors what goes in and out. You have many options with IDS, depending on what your purpose of having it setup. You can put it before the firewall but that would only be useful if you were wanting to monitor ALL traffic. In your case you would want it after the firewall, so its not monitoring traffic that is going to be blocked by your firewall.

If you are seriously concidering setting up some IDS boxes. I would go purchase the book, Snort 2.1 Intrusion Detection SE. This book explains everything from head to toe.

Let me know,

Jorden
0
 

Author Comment

by:mehranalmasi
Comment Utility
Jorden,
thank you! I have enough help from your responses to think of a set of actions to continue dealing with the GDI flaw.
I also have bookmarked your security links to get info. from them in future.
Are you using BLINk or RETINA? If so what is the learning curve on them? I played with their Network Traffic Analyzer and was not conviced that its the best sniffer.

0
 
LVL 6

Expert Comment

by:knoxj81
Comment Utility
Retina, is a wonderful program. I've evaluated it at my home testboxes and it found a lot of security issues. The Enterprise Suite is great. BLINK, I havn't had a chance to test yet, but I've been waiting for it to come out for a while now.

I would use the 15 day trial and see what you think. After all eeye products are exspensive, so if budget is a nonfactor I'd go with eeye. If budget is a factor, IDS (Snort). Is free.


Lots of time + little money = custom IDS (Snort)

Little time + lots of money = eEye products.

Let me know,

Jorden
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now