Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsofts WMF Patch Leaks Out

    By
    Ryan Naraine
    -
    January 4, 2006
    Share
    Facebook
    Twitter
    Linkedin

      A cryptographically signed version of Microsoft Corp.s patch for the Windows Metafile vulnerability accidentally leaked onto the Internet late Tuesday, adding a new wrinkle to the companys round-the-clock efforts to stop the flow of malicious exploits.

      The MSRC (Microsoft Security Response Center) acknowledged that a slip-up caused “a fast-track, pre-release version of the update” to be posted to a security community site and urged users to “disregard” the premature update.

      The companys official recommendation is for Windows users to unregister the Windows Picture and Fax Viewer (Shimgvw.dll) and wait for a properly tested patch scheduled for Jan. 10.

      Mike Reavey, operations manager of the MSRC, said the appearance of the pre-release code was inadvertent.

      “There has been some discussion and pointers on subsequent sites to the pre-release code. We recommend that customers disregard the postings and continue to keep up to date with our latest information on the WMF issue,” Reavey said.

      A security researcher who had seen the leaked patch told eWEEK it contained an updated GDI32.DLL file that was created by Microsoft immediately after the first exploits started appearing on malicious Web sites on Dec. 27.

      Interestingly, Microsofts patch works seamlessly with the unofficial hotfix from reverse-engineering guru Ilfak Guilfanov. “It looks like Microsoft was right on the ball with a patch and theyve done it the right way, taking all things into consideration, including the fact that [Guilfanovs patch] is going to be on a lot of machines,” a source said.

      Microsoft has frowned on the available of a third-party update, insisting that it cannot vouch for the quality of an unofficial patch that did not go through a full test pass.

      /zimages/1/28571.gifRead more here about the third-party WMF patch and why Microsoft recommends caution.

      Even as Microsoft scrambles to contain a threat that has grown to more than 100 exploits, there is a growing sense that some in the research community—and the mainstream media—have overblown the severity of the issue.

      Privately, Redmond officials have bristled at attempts to liken the WMF exploits to debilitating network worms like Blaster and Sasser, especially since significant user interaction is required before an attack is successful.

      Shane Coursen, senior technical consultant at Kaspersky Lab, said the general feeling was that the vulnerability should be rated “a step below critical.”

      “If this vulnerability were to be packaged in a completely automated worm in the wild that doesnt require the user to click on anything, then it would be really critical. But theres no automated attack vector here,” Coursen said.

      However, Coursen said the flaw represents a “very serious” threat that should be fixed as soon as a thoroughly tested patch is available. “Its very important the people follow the advice to unregister Shimgvw.dll and keep anti-virus programs updated. You dont want to overblow the threat but you dont want to give people a false sense of security either.”

      /zimages/1/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

      Marc Maiffret, co-founder and chief hacking officer of eEye Digital Security, said a discussion about the severity of the threat is meaningless.

      “Theres this mentality among IT people and even at Microsoft that its not a big threat unless thousands and thousands of users are being compromised. Thats not the way to look at it. Theres a reason phishing is a huge problem. Its a huge problem because people can be easily tricked into clicking on a bad link. Thats why this is a big deal, even if the majority of users arent being compromised,” Maiffret said.

      He also warned against believing that the current attacks cannot be automated. “This can be totally automated … because it required a click today [doesnt mean] it will require a click tomorrow. There are plenty of other things you can do to launch an attack from a clean site,” Maiffret said.

      He referred to a November 2004 incident when hackers broke into a load balancing server that handles ad deliveries for Germanys Falk eSolutions AG and successfully loaded exploit code on banner advertising served on hundreds of Web sites.

      “If an attacker breaks into an ISP that hosts images for thousands of good sites, all he has to do is replace those with malicious WMF files. He can break into any high-traffic site and put his image there. That wont require a phishing click,” Maiffret said. “You cant rank threats based on how many people are being compromised.”

      Maiffret, who was crediting with finding and reporting a high-risk WMF bug to Microsoft last year, said IT administrators should avoid rating flaws based on which threats make news headlines.

      “If its not in the news, thats the one you want to be afraid of. There are hundreds of zero-day, targeted attacks happening right now. The ones in the news are the ones we know about. But you cant base security off the worm you read about in the papers. That was how it was in the 1990s. Today, the climate is that you are being attacked by the flaw you dont know about and if its not found in the wild, youll never know about it,” Maiffret said.

      /zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×