MS Rushes Patch as WMF Exploit Tools Surface

A simple tool for exploiting the Windows Metafile flaw is making the rounds, increasing the number of attacks; Microsoft fights back with an early patch.

Microsoft Corp. said on Thursday that it would release a patch for a critical hole in the Windows operating system five days ahead of the planned release date.

The company began releasing a patch for a vulnerability in a Windows component used to render WMF (Windows Metafile) image files late Thursday, citing faster-than-expected testing of the patch and intense customer demand to get a fix out as soon as possible.

The patch came amid reports from anti-virus companies and security researchers about the appearance of new tools that make it easy for even unsophisticated hackers to use the WMF hole to compromise Windows systems.

In a security advisory posted Thursday afternoon, Microsoft said it would push out a patch for the WMF hole Thursday at 5:00, after initially saying that the patch would be released with the companys monthly patch on Tuesday, Jan. 10.

/zimages/6/28571.gifClick here to read about a third-party patch released for the WMF flaw.

The two-week turnaround was one of the fastest in the companys history, and reflects the seriousness of the WMF flaw, said Debby Fry Wilson, a director at MSRC (Microsoft Security Response Center).

Microsofts patch contains a new version of the vulnerable Windows component, a DLL named gdi32.dll. The patch works for the supported operating systems for which the WMF vulnerability was critical: Windows 2000, Windows XP, and Windows Server 2003, she said.

Customers using non-supported operating systems can only get the patch if they have custom support agreements that entitle them to the fix, she said.

Microsoft maintains that WMF attacks are limited and were being mitigated by anti-virus software and the companys efforts to shut down malicious Web sites, Fry Wilson said.

"Normally we do an out-of-band release when things change or a problem is more severe than we first anticipated. In this case, the data continues to show that [WMF] attacks are limited," she said.

Others disagree.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Employees at Atlanta-based SecureWorks Inc. recorded a big increase in WMF attacks last week from the previous week.

More than 100 of the companys clients, many of them banking and finance companies, were being targeted by more than 137 attackers as of Wednesday, compared with just six clients and 24 attackers the week before.

The company had recorded more than 3,733 attacks by Wednesday evening, according to Josh Daymont, director of research.

At the SANS Institutes Internet Storm Center, incident handlers had collected more than 200 unique WMF exploits as of Tuesday, which were forwarded to Microsoft, according to Johannes Ullrich, chief technology officer.

Websense Inc., another security software maker, tracked an increase in Web pages that use the WMF to install remote control ("bot") software and Trojan horse programs, beginning Jan. 1, according to the companys Web page.

At Symantec Corp., researchers have also spotted an increase in Trojan horse programs, with names like pwsteal.bankash and Trojan.satiloler, which are downloaded to machines immediately following exploits using the WMF hole, said Dean Turner, senior manager of developer at Symantec Security Response.

Next Page: An e-mail exploit defeats anti-virus products.