Analysts Fret as Adware Makers Leverage WMF Flaw

By David Morgenstern  |  Posted 2005-12-29 Print this article Print

Updated: More adware networks are taking advantage of the Windows Metafile Format flaw, presenting exploited banner ads on Web sites.

Exploits of the WMF (Windows Metafile Format) flaw continued on Thursday as advertising networks took advantage of the vulnerability to spread their "products."

Several security lists and Weblogs warned that the Exfol adware network was presenting coded WMF images on rotating banner ads.
Researchers said that sites running pop-up advertisements from the network will infect viewers with vulnerable systems.
"You dont have to go to a crack site or a porn site," observed a posting on the blog of firewall vendor Sunbelt Software USA, of Clearwater, Fla. "You go to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited," the posting continued. Click here to read more about Zero-Day Exploits of the WMF flaw. According to a mid-December listing by McAfee Inc., the Exfol adware download adds a toolbar to Internet Explorer as well as a pack of Browser Helper Objects and other code. Earlier on Thursday, Websense Security Labs reported that thousands of sites were distributing the exploit code from a site called iFrameCASH BUSINESS. "I fear for the worst here, just because the wrong guys have it," warned Richard M. Smith, a security and privacy consultant based in Boston, referring to the Exfol network exploits. "These guys in the malware-for-profit business will figure out all the different ways they can make a profit off of [the WMF flaw]." Vulnerable operating systems include a range of Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition. Also at risk are Windows XP Home Edition and Windows XP Professional, making both home users and businesses open to attack. On Wednesday, Microsoft posted a workaround. However, several security researchers, including Smith, said that more is needed, and quickly. According to Smith, Microsofts workaround is inadequate. "We need a quick fix to turn off WMF. The number one thing is that it needs to be turned off in the browser." However, a Microsoft spokesperson disputed this claim. "The workaround does prevent attempts to exploit this issue through Internet Explorer," the spokesperson said. "The IE code path for displaying images itself is not vulnerable to this issue and the workaround blocks access to the Windows Fax and Picture Viewer from Internet Explorer. Therefore once the workaround has been applied, IE is not vulnerable by viewing images on a webpage." Microsoft is also continuing to study the problem. "While Microsoft is investigating the public postings which seek to utilize specially formed WMF files through IE, the company is looking thoroughly at all instances of WMF handling as part of the investigation," said the spokesperson. Security Editor Larry Seltzer says that WMF stands for a "Windows Major Foul-Up." Click here to read more. "Microsoft is not aware of any attempts to embed specially formed WMF files in things such as word documents," the spokesperson said. However, the company advised users "to accept files only from [a] trusted source." F-Secure reported some 57 versions the malicious .wmf file exploit as of Thursday, dubbed the PFV-Exploit. Although the exploit has only been used to install spyware or fake anti-spyware/anti-virus software thus far, the security firm anticipated that real viruses using WMF will start to spread soon. Larry Seltzer contributed to this report. Editors Note: This story was updated to include information and comments from Microsoft. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.
David Morgenstern is Executive Editor/Special Projects of eWEEK. Previously, he served as the news editor of Ziff Davis Internet and editor for Ziff Davis' Storage Supersite.

In 'the days,' he was an award-winning editor with the heralded MacWEEK newsweekly as well as eMediaweekly, a trade publication for managers of professional digital content creation.

David has also worked on the vendor side of the industry, including companies offering professional displays and color-calibration technology, and Internet video.

He can be reached here.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel