Critical Impact: Windows Metafile Flaw a Zero-Day Exploit - Page 2

By Lisa Vaas  |  Posted 2005-12-28 Print this article Print

F-Secure traced the exploit to Russian sites, one of which is allegedly registered to former Soviet Union President Mikhail Gorbachev. Sunbelt warns that users are likely to get infected by being directed to one of the sites via spam that offer dirty pictures, free software or other bait. The attack works by tricking users into opening malicious ".wmf" files in "Windows Picture and Fax Viewer" or by previewing such a file by selecting it in Windows Explorer. The attack can also be triggered automatically when visiting malicious Web sites via Internet Explorer.
Although Secunia deemed the flaw highly critical, at least one security researcher was dismissive of the bugs severity. Pete Lindstrom, research director for Spire Security LLC, said that at this stage in the game, anything that requires user interaction is hardly worth notice.
"Theres no such thing as extremely critical when user interaction is required," Lindstrom said. "Thats just silly." For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub. But as far as using IE goes, download of malicious software is automatic, happening immediately upon going to the site, pointed out Alex Eckelberry, president of Sunbelt Software. "There is no user interaction required," he wrote in an e-mail exchange. "You hit the Web site, you get hit immediately. No prompts, nothing." John Pescatore, an analyst with Gartner Inc., said that this type of attack may be slowed down by requiring users to click on a malicious .wmf file or to go to a malicious Web site, but that doesnt mean it wont spread fast, given users willingness to click on bait. "One of these [attacks] where clicking on a URL [is involved], those can spread pretty fast," he said, given users proclivity to click away. "We do online consumer studies. Two years ago, 30 percent had fallen for phishing [schemes]. They entered their user name, password or credit card information. This year, many fewer completely fell for them, but they still clicked on the link in the phishing e-mail." Given the rise of keystroke loggers that can automatically be downloaded onto a users system after the user visits a malicious site, that means the Web-surfing population is still ripe for phishing, Pescatore said. "Theyre still clicking on links, and whenever malicious software gets installed, thats when you get a critical rating, because all sorts of bad things can happen." According to Secunia, the vulnerability is caused by an error in handling corrupted .wmf files—a graphics file format used to exchange graphics information between Microsoft Windows applications that can hold vector and bit-mapped images. Secunia confirmed the vulnerability on a fully patched system running Windows XP SP2. The advisory said that Windows Server 2003 SP0 and SP1 systems have also reportedly been affected. A Microsoft spokesman told eWEEK in an e-mail exchange on Wednesday that Microsoft "is investigating new public reports of a possible vulnerability in Windows," although he didnt give an ETA for a patch. "Microsoft will continue to investigate the public reports to help provide additional guidance for customers," he said. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or issuing a security advisory, depending on customer needs." The spokesman went on to encourage customers to follow Microsofts Protect Your PC guidelines of enabling a firewall, getting software updates and installing anti-virus software. Customers who think theyve been affected can also contact Product Support Services, which is at 1-866-PCSAFETY in North America or at for outside North America. Microsoft also advises customers who think theyve been attacked to contact their local FBI office or to post the incident on Customers outside the United States should contact the national law enforcement agency in their country, the spokesman said. The advisory issued by Microsoft later on Wednesday said that Microsoft is aware of the code, which allows an attacker "to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image." Microsofts advisory echoed Lindstroms take, however, stating that attackers have "no way to force users to visit a malicious Web site." Instead, the advisory continued, attackers have to persuade users to visit the sites, "typically by getting them to click a link that takes them to the attackers Web site." The advisory said that Microsoft would either be issuing a patch through its monthly release process or would provide an out-of-cycle security update, "depending on customer needs." Microsofts spokesman declined to state how many customers had reported that they had been victimized by the attack. Secunia advised that users avoid opening or previewing untrusted .wmf files, as well as set security level to "High" in IE. Lindstrom noted that the long-term answer to dealing with what he called this type of "flotsam and jetsam" of constant security alerts is to install host intrusion prevention software to designate what software is allowed to run on a system and what its allowed to do. As far as the short-term response to this particular vulnerability goes, Lindstrom echoed Secunias advisory when it comes to untrusted files: "Dont click on it," he said. Editors Note: This story was updated to include Microsofts statement, more on the recommended workaround and more details about the exploit from Sunbelt and F-Secure. Additional Reporting by Ben Charny. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel