[ISN] Update: Microsoft says 'wait for us' as WMF threat climbs

From: InfoSec News (isn@private)
Date: Wed Jan 04 2006 - 03:07:59 PST


By Peter Sayer
IDG News Service
January 03, 2006

Some security researchers are advising Windows users to rush to
install an unofficial patch to fix a vulnerability in the way the OS
renders graphics files, but Microsoft (Profile, Products, Articles)  
Corp. wants customers to wait another week for its official security
update, it announced Tuesday.

The problem is in the way various versions of Windows handle graphics
in the WMF (Windows Metafile) format. When a vulnerable computer opens
a maliciously crafted WMF file, it can be forced to execute arbitrary
code. Microsoft published a first security advisory on Dec. 28, saying
it had received notification of the problem on Dec. 27 and was
investigating whether a patch was necessary.

On Tuesday, Microsoft updated the advisory to say it has completed
development of its own patch, and is now testing it for release next

"Microsoft recommends that customers download and deploy the security
update for the WMF vulnerability that we are targeting for release on
Jan. 10, 2006," said the advisory, the full text of which can be found
here [1].

The company said it carefully reviews and tests its security updates,
and offers them in 23 languages for all affected versions of its
software simultaneously. It "cannot provide similar assurance for
independent third-party security updates," it said.

The number of users potentially at risk is high, with all versions of
Windows exhibiting the vulnerability, but the number actually affected
so far is relatively low, researchers say.

Staff at McAfee Inc.'s Avert security research lab report that 7.45
percent of users of the company's retail security products were found
to have computers infected with malicious programs through the WMF
exploit as of Tuesday. That's up from 6 percent of users on Saturday.

However, the chance of running into a malicious WMF file is climbing,
and with it the danger of running an unpatched system. Already, one
security Web site has had to warn its readers to stay away: the owners
of the knoppix-std.org site warned in a forum posting that hackers had
modified the site so as to attempt to exploit the vulnerability on
site visitors' machines.

There is "a lot of potential risk" associated with the vulnerability,
according to Jay Heiser, a research vice president with Gartner Inc.  
and the company's lead analyst on information security issues. "If it
can be exploited in any significant way, it would be an extremely big

"It's a race between Microsoft and the exploit community," he said.

The bad guys had a head start in that race. Security researchers at
Websense Inc. first spotted malicious Web sites using the exploit on
Dec. 27, but those sites may have been doing so as early as Dec. 14,
the company said.

On Dec. 28, Microsoft ambled out of the starting blocks with its first
security advisory acknowledging a potential problem.

Over the weekend, it updated this to suggest a way in which users
could reduce the risk by disabling an affected part of the OS, called
shimgvw.dll. Microsoft warned that the fix has the side effect of
stopping the Windows Picture and Fax Viewer from functioning normally.  
Others report that it also stops Windows Explorer from showing
thumbnails for digital photos.

Security researchers outside Microsoft had other ideas: rather than
disable shimgvw.dll, they would modify it so that only the
functionality considered dangerous was blocked. By Dec. 31, programmer
Ilfak Guilfanov had developed an unofficial patch to reduce the danger
of attack, without impairing Windows' graphics functions.

His patch quickly won the support of security researchers including
The SANS Institute's Internet Storm Center (ISC) and F-Secure Corp.

Mikko Hypponen, chief research officer at F-Secure, feels safe
recommending the Guilfanov patch for several reasons.

"We know this guy. We have checked the code. It does exactly what he
says it does, and nothing else. We've checked the binary, and we've
checked that the fix works," he said.

He had one final vote of confidence: "We've installed it on all our
own computers."

Sophos PLC's Senior Security Consultant Carole Theriault advised
businesses not to install the unofficial patch. "We wouldn't recommend
it, for testing reasons," she said.

One of the hidden dangers of the WMF vulnerability is that things are
not always what they appear. Usually, WMF files can be identified by
their .WMF file extension, and blocked as a precaution, but attackers
may choose to disguise malicious files simply by giving them another
image file suffix, such as .JPG, because the Windows graphics
rendering engine attempts to identify graphics files by their content,
not their name. That was the case with a file with the title
"happynewyear.jpg" that began circulating in e-mail messages on Dec.  
31: If opened on a Windows machine, the file attempts to download and
install a backdoor called Bifrose.

As a consequence, said Theriault, businesses should keep existing
antivirus protection up to date and concentrate on blocking
unsolicited mail while waiting for the Microsoft patch, as this may
help to screen out attacks. They should encourage users to practice
safe computing by only visiting reputable Web sites and taking care
with what they download, she said.

(Jeremy Kirk in London contributed to this report.)

[1] http://www.microsoft.com/technet/security/advisory/912840.mspx

Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.

This archive was generated by hypermail 2.1.3 : Wed Jan 04 2006 - 03:40:56 PST