Analysts Fret as Adware Makers Leverage WMF Flaw

Updated: More adware networks are taking advantage of the Windows Metafile Format flaw, presenting exploited banner ads on Web sites.

Exploits of the WMF (Windows Metafile Format) flaw continued on Thursday as advertising networks took advantage of the vulnerability to spread their "products."

Several security lists and Weblogs warned that the Exfol adware network was presenting coded WMF images on rotating banner ads.

Researchers said that sites running pop-up advertisements from the network will infect viewers with vulnerable systems.

"You dont have to go to a crack site or a porn site," observed a posting on the blog of firewall vendor Sunbelt Software USA, of Clearwater, Fla.

"You go to any site that is using rotational popups from a third party ad network that is spawning Exfol popups, you get exploited," the posting continued.

/zimages/3/28571.gifClick here to read more about Zero-Day Exploits of the WMF flaw.

According to a mid-December listing by McAfee Inc., the Exfol adware download adds a toolbar to Internet Explorer as well as a pack of Browser Helper Objects and other code.

Earlier on Thursday, Websense Security Labs reported that thousands of sites were distributing the exploit code from a site called iFrameCASH BUSINESS.

"I fear for the worst here, just because the wrong guys have it," warned Richard M. Smith, a security and privacy consultant based in Boston, referring to the Exfol network exploits. "These guys in the malware-for-profit business will figure out all the different ways they can make a profit off of [the WMF flaw]."

Vulnerable operating systems include a range of Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition. Also at risk are Windows XP Home Edition and Windows XP Professional, making both home users and businesses open to attack.

On Wednesday, Microsoft posted a workaround. However, several security researchers, including Smith, said that more is needed, and quickly.

According to Smith, Microsofts workaround is inadequate. "We need a quick fix to turn off WMF. The number one thing is that it needs to be turned off in the browser."

However, a Microsoft spokesperson disputed this claim. "The workaround does prevent attempts to exploit this issue through Internet Explorer," the spokesperson said.

"The IE code path for displaying images itself is not vulnerable to this issue and the workaround blocks access to the Windows Fax and Picture Viewer from Internet Explorer. Therefore once the workaround has been applied, IE is not vulnerable by viewing images on a webpage."

Microsoft is also continuing to study the problem.

"While Microsoft is investigating the public postings which seek to utilize specially formed WMF files through IE, the company is looking thoroughly at all instances of WMF handling as part of the investigation," said the spokesperson.

/zimages/3/28571.gifSecurity Editor Larry Seltzer says that WMF stands for a "Windows Major Foul-Up." Click here to read more.

"Microsoft is not aware of any attempts to embed specially formed WMF files in things such as word documents," the spokesperson said. However, the company advised users "to accept files only from [a] trusted source."

F-Secure reported some 57 versions the malicious .wmf file exploit as of Thursday, dubbed the PFV-Exploit.

Although the exploit has only been used to install spyware or fake anti-spyware/anti-virus software thus far, the security firm anticipated that real viruses using WMF will start to spread soon.

Larry Seltzer contributed to this report.

Editors Note: This story was updated to include information and comments from Microsoft.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.