Depending on where you look, most people are either running in circles hysterically or ho-humming the Windows WMF vulnerability.
It does have some of the earmarks of a nasty situation. For one thing, if youre running Windows—any version—youre vulnerable. Even the 1990 version of Windows 3.0 is vulnerable!
While you were out partying this weekend I was reading security discussion lists and testing malware (yes, I know, my wife wants me to seek help for this problem too). Some respected people out there think this is one of the all-time bad ones.
On the other hand, its Monday morning, Jan. 2, and none of the major anti-virus has a serious alert up. McAfee, Symantec, Trend and Panda all show no alarm, and the ones that have a general level of alertness are all showing a low level. Panda can usually be counted on for some hysteria at a time like this, and Computer Associates doesnt even seem aware of the threat on its site.
There is F-Secure, who is showing a Level 2 (out of 3) alert. F-Secure has been on top of this situation from the very beginning, and perhaps it is the only one with staff working to update its site over the holiday.
Well, thats getting a little too mean. As I pointed out in an earlier piece, actual testing of 73 variants of this threat shows excellent protection common among anti-virus vendors. As of Saturday morning, the 100 percent list included AntiVir, Avast, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO, eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman, Panda, Sophos, Symantec, Trend Micro and VirusBuster. If youre a user of one of these products and you keep your anti-virus updated, odds are good that youre protected against any exploits youre likely to see.
And as one of the anti-virus vendors pointed out to me, there may be dozens of variants out there and a first attempt at an IM worm, but there is no major attack yet. In other words, there may be a major vulnerability, but there is no major exploit, and youre unlikely to encounter one unless you spend a lot of time on porn sites or already are running adware.
There are worse attacks
Personally, I reserve the level of anxiety Im seeing out there for network worms like Blaster and Sasser, not for threats that, as far as we can tell so far, require user action. It could be that someone will come up with a way to make these exploits work without the user having to open a file or navigate to a Web site, but it hasnt happened yet, and it might not. And in the meantime, mainstream security products are dealing with the problem.
And there are other things that proactive users and administrators can do. Theres Microsofts workaround, which disables the Windows Picture and Fax Viewer program (see Microsofts advisory for details). This is not a fix for the basic problem, but rather it blocks the most prominent vector for exploiting this vulnerability. There are other vectors, such as Microsoft Paint, Lotus Notes and probably many other applications. Still, this solution does have the advantages of being safe, albeit at the loss of some system functionality (your picture viewer and thumbnails in Windows Explorer), and having the explicit endorsement of Microsoft.
But theres a better, although somewhat riskier, solution: A well-known programmer named Ilfak Guilfanov has released a patch he wrote that addresses the core problem by disabling the Windows functionality on which the exploits depend. Guilfanov has tested it on Windows 2000 (SP4), XP 32-bit, XP 64-bit and Windows Server 2003. This patch comes with an uninstaller that I have tested, albeit on a single box, and it works.
The consensus in the security discussions I have read is that the removed Windows functionality is not something that will ever be missed, but that strikes me as an arrogant assumption. Theres an astonishing amount of code written for Windows and, as Guilfanov himself explained in a security discussion this weekend, there are legitimate uses for it. The real solution would be a real patch from Microsoft for the vulnerable code, one that has been tested on all the supported versions, including the international ones.
I hope this next statement is quickly made obsolete, but as I write this we still dont have a patch. Im ready to say that Guilfanovs patch appears safe and effective for mainstream U.S. versions of Windows, but I would have preferred a more comprehensive test.
Yes, we could still have a major outbreak on our hands, but Im reasonably satisfied that the people most likely to be affected are those who leave their PCs unprotected by anti-virus software and credulously open files sent by strangers. Indeed, the most likely way to be attacked through this vulnerability is by viewing an adware-infected Web site that you are most likely to visit when redirected by adware already on your system. Exploiting the already exploited doesnt score you any points in the malware business.
And you do need to be either already exploited or credulous enough to get yourself there to fall for this. Actually, the very fact that you read this column probably makes you too aware of security issues to be attacked successfully.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
More from Larry Seltzer