• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 475
  • Last Modified:

What are IT departments doing about GDI+ flaw?

The new GDI+ flaw and how to deal with it seems to be a huge task for IT departments. Specially for companies where applications are installed by end users when they need them. There are so many variations of software installed that no one seems to know all answers. For example if you have Office 97 with Outlook 2002 or 2003, what should be updated? Would Office updates automatically take care of these various sofware combinations? as an example the issue of mso.dll and vgx.dll
that GDI scan finds. How are they supposed to be dealt with?
I just can't imagine how this flaw can be dealt with in an orderly and sure way. Please correct me if I am wrong.

thanks.
0
mehranalmasi
Asked:
mehranalmasi
  • 6
  • 5
  • 5
  • +2
1 Solution
 
PsiCopCommented:
We're getting rid of Windoze. SUSE 9.1 Professional and OpenOffice, here we come.
0
 
mehranalmasiAuthor Commented:
I guess that is fine if you just use Office type apps. Its not so easy if impossible when you use Visio, Project and other programs that businesses depend on for doing work.
0
 
PsiCopCommented:
Ah, yes, the litany of the Microsoftie - "You can't possibly move from Windoze! There's nothing else for X, Y and Z!!"

Pure FUD.

OSS Visio replacement - The GNOME Dia project --> http://www.gnome.org/projects/dia/

OSS Project replacement - The OpenWorkbench --> http://www.openworkbench.org/

Any other FUD?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Jeff RodgersNetworks & Communications Systems ManagerCommented:
We use numerous custom applications which have been developed over the course of several years.  There just weren't out of the box applications available for our purposes which meet our process needs.

The movement away from Windows isn't a reality for us... (not without a few semi's full of cash, anyways)

As such we need to stay a Microsoft shop.  This means dealing with the fatal flaws out there.

Our current policys include installing available patches where available, shutting down unneeded services, hardening of servers, and locking down the corporate firewall to allow only the essential traffic.

Is this enough?  One would hope so... but I guess everytime you build a better mouse trap the mouse just gets smarter...

0
 
kitisakCommented:
You should try to use GDI Scanner to scan your machine. You will know that which software has a problem. You can find more information at  http://www.bleepingcomputer.com/forums/topict3077.html
0
 
PsiCopCommented:
"The movement away from Windows isn't a reality for us... (not without a few semi's full of cash, anyways)"

What do you think its costing you in terms of increased hardware costs (at least 2x that of other OSes, including Linux), increased security costs, more personnel, more downtime and more licensing charges? Its probably at least "a few semis full of cash").

But hey, mebbe your company's competitors have figgered that out.
0
 
mehranalmasiAuthor Commented:
kitisak
GDI scanner on every PC on the company? So if I have 800 PC's I need to do this on 800 PC's? Isn't that unrealistic? I have done some work with apps like Shavlik with limited success. I am getting the sense that this one is not going to be protected well. Even Symantec and McAffee have no solutions for it yet.

PsiCop: Everything is at least half as difficult to setup and configure in Windows than Linux. That is a no brainer and why MS is so successful today. So its less expensive to have things up and running in Windows. The main issue here is the security. I don't thin Linux is more secure. its just not sucessful enough to have lots of enemies.
0
 
knoxj81Commented:
Since your in a business environment, trying to convert windows workstations "win babies" to use linux is impossible.  Sure you might be able to switch some of your mail servers to linux. As far as converting workstations from windows to linux to deal with the GDI+ Exploit, it's just not possible. You have to deal with the time, which you dont have due to the fact there are already numerous exploits that use this GDI+ vulnerability.

So to protect your company from this exploit and future exploits I would do the following.

First, be sure to update your virus scanners, firewalls, etc... I'm affraid all Windows +GDI tool will do, is let you know if your screw or not. Once updated, educate yourself with what your up against.

Here's a link to a security site that shows 2 different attacks that use this exploit:
http://www.k-otik.com/

Here you'll see another: (You'll notice that the file the exploit tries to use are detected by leading AV Programs.)
http://isc.sans.org/diary.php?date=2004-10-05

Now, I would consider creating a LINUX or WINDOWS IDS box or boxes. This will give you the ability to BLOCK all traffic related to this any many other exploits, attacks, virus activity. Now since your in the IT field and this might not be a fast enough solution, I would recommend purchasing a hardware IPS, which would do just fine in blocking this exploit.

Reference:
If you want to know more about IDS and solutions ( free ), please refer to a earlier post on IDS:
http://www.experts-exchange.com/Security/Q_21061304.html

Eeye products: ( both BLINK & RETINA are fantastic leading the market) Offers free 15 day trial.
http://www.eeye.com/html/products/blink/   &     http://www.eeye.com/html/products/retina/index.html

Depending on your budget, this will be more than enough to lock down your network and have the feeling your network is secure. So put the GDI+ nightmare to rest, and enjoy a good nights sleep! I do!

Good Luck,

Jorden

:: Please don't hesitate to ask if you have any questions or concerns ::





0
 
knoxj81Commented:
Since you have such a large network, I would go with the eeye.com, a little spendly but definitly the best, offers full reports, lets you scan the entire network. Only way to go is take the free trail see what it will do on a test box, you'll be a faithful user like our Company.


Good Luck,

Jorden
0
 
PsiCopCommented:
"I don't thin Linux is more secure. its just not sucessful enough to have lots of enemies."

More FUD. Apache is by far the most-successful webserver. Runs 3 websites for every one that IIS runs (Source: Netcraft). Where are all the webserver hacks? Hint: Its not on Apache. Your logic is flawed, almost as much as the Windoze design that runs everything in Ring 0/as root/with full control/choose the OS paradigm you want. Part of the reason that *NIXes tend to be more secure...and they do...is that the OS *design* does a better job of keeping malicious/poorly-written programs from running rampant.

But, as they say, you can lead a horse to water....
0
 
knoxj81Commented:
psicop, stay on topic here. No need to get your panties in a bunch of your apache server.
0
 
PsiCopCommented:
And there's no need for you to make personal attacks, knoxj81. Try to stay professional.

My point is that mehranalmasi's assertion that Windoze is more-attacked because its more widely-deployed is a fallacy.
0
 
mehranalmasiAuthor Commented:
PSICop
I have my opinion based on my experiences and so do you. I could be wrong or I could be right but I certainly don't appreciate your comments that contain too much of an edge that cancels out any possible content.

You won't be very healthy if you carry this strong bias against Microsoft and then see them at every corner you turn your head at.
0
 
PsiCopCommented:
I carry a strong bias against FUD, such as the fallacy you presented.
0
 
kitisakCommented:
Hi  mehranalmasi,
I am looking forward for GDI scanner for network. I think it maybe be launched soon. If I get it, I will post.
0
 
mehranalmasiAuthor Commented:
knoxj81
thanks for helpful hints and links. A couple questions:

1- Are our users in relatively safe shape on this issue according to Internet Storm Center's page?
>all our emails are scanned by BitDefender (GFI for Exchange) and all desktops have Symantec's latest def. files (10/06/2004)
To me it translates into no dangerous jpeg will be allowed to users inbox in Exchange and any dangerous jpeg about to be opened will be intercepted by Symantec.

Although all systems will eventually be patched.

2- Does IDS sit on a collusion domain just like an sniffer or edge of an switch?

0
 
knoxj81Commented:
1 - As, long as your updated I would say your in okay shape. I would run the GDI Scan tool on a few workstations just to see what  programs you are using that might be at risk.

2 - IDS sniffs all packets and monitors what goes in and out. You have many options with IDS, depending on what your purpose of having it setup. You can put it before the firewall but that would only be useful if you were wanting to monitor ALL traffic. In your case you would want it after the firewall, so its not monitoring traffic that is going to be blocked by your firewall.

If you are seriously concidering setting up some IDS boxes. I would go purchase the book, Snort 2.1 Intrusion Detection SE. This book explains everything from head to toe.

Let me know,

Jorden
0
 
mehranalmasiAuthor Commented:
Jorden,
thank you! I have enough help from your responses to think of a set of actions to continue dealing with the GDI flaw.
I also have bookmarked your security links to get info. from them in future.
Are you using BLINk or RETINA? If so what is the learning curve on them? I played with their Network Traffic Analyzer and was not conviced that its the best sniffer.

0
 
knoxj81Commented:
Retina, is a wonderful program. I've evaluated it at my home testboxes and it found a lot of security issues. The Enterprise Suite is great. BLINK, I havn't had a chance to test yet, but I've been waiting for it to come out for a while now.

I would use the 15 day trial and see what you think. After all eeye products are exspensive, so if budget is a nonfactor I'd go with eeye. If budget is a factor, IDS (Snort). Is free.


Lots of time + little money = custom IDS (Snort)

Little time + lots of money = eEye products.

Let me know,

Jorden
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

  • 6
  • 5
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now