Microsoft Corp. said on Thursday that it would release a patch for a critical hole in the Windows operating system five days ahead of the planned release date.
The company began releasing a patch for a vulnerability in a Windows component used to render WMF (Windows Metafile) image files late Thursday, citing faster-than-expected testing of the patch and intense customer demand to get a fix out as soon as possible.
The patch came amid reports from anti-virus companies and security researchers about the appearance of new tools that make it easy for even unsophisticated hackers to use the WMF hole to compromise Windows systems.
In a security advisory posted Thursday afternoon, Microsoft said it would push out a patch for the WMF hole Thursday at 5:00, after initially saying that the patch would be released with the companys monthly patch on Tuesday, Jan. 10.
The two-week turnaround was one of the fastest in the companys history, and reflects the seriousness of the WMF flaw, said Debby Fry Wilson, a director at MSRC (Microsoft Security Response Center).
Microsofts patch contains a new version of the vulnerable Windows component, a DLL named gdi32.dll. The patch works for the supported operating systems for which the WMF vulnerability was critical: Windows 2000, Windows XP, and Windows Server 2003, she said.
Customers using non-supported operating systems can only get the patch if they have custom support agreements that entitle them to the fix, she said.
Microsoft maintains that WMF attacks are limited and were being mitigated by anti-virus software and the companys efforts to shut down malicious Web sites, Fry Wilson said.
“Normally we do an out-of-band release when things change or a problem is more severe than we first anticipated. In this case, the data continues to show that [WMF] attacks are limited,” she said.
Employees at Atlanta-based SecureWorks Inc. recorded a big increase in WMF attacks last week from the previous week.
More than 100 of the companys clients, many of them banking and finance companies, were being targeted by more than 137 attackers as of Wednesday, compared with just six clients and 24 attackers the week before.
The company had recorded more than 3,733 attacks by Wednesday evening, according to Josh Daymont, director of research.
At the SANS Institutes Internet Storm Center, incident handlers had collected more than 200 unique WMF exploits as of Tuesday, which were forwarded to Microsoft, according to Johannes Ullrich, chief technology officer.
Websense Inc., another security software maker, tracked an increase in Web pages that use the WMF to install remote control (“bot”) software and Trojan horse programs, beginning Jan. 1, according to the companys Web page.
At Symantec Corp., researchers have also spotted an increase in Trojan horse programs, with names like pwsteal.bankash and Trojan.satiloler, which are downloaded to machines immediately following exploits using the WMF hole, said Dean Turner, senior manager of developer at Symantec Security Response.
-Mail Exploit Defeats Anti-virus Products”>
E-mail attacks that trick users into clicking on WMF images have also been spotted, though they are less prevalent, Daymont said.
“Were seeing e-mail as a vector for targeted attacks that are smaller in number,” he said.
Still, ISC knows of one spam blast with a WMF attachment to around 5 million e-mail addresses that is believed to have compromised about 50,000 hosts, which were then added to a bot network, Ullrich said.
The attack worked even though most anti-virus products spotted the malicious attachment and the attempted exploit used in the e-mail attack, he said.
Some anti-virus companies, including Kaspersky Lab and McAfee Inc., have also developed detection signatures for WMFMaker, a scripting tool that makes it easy for unsophisticated hackers to craft their own attacks, according to Ullrich.
WMFMaker is a simple, command-line tool that allows hackers to add malicious code to WMF images. The tool is like a simplified version of the popular Metasploit hacking tool and allows unsophisticated hackers to create WMF attack images with very little effort, Ullrich said.
The program may be partially responsible for a surge in malicious activity linked to the WMF exploit, he added.
Kevin Ladd, director of infrastructure at Direct Media Inc. in Greenwich, Conn., said he had a computer compromised by a WMF attack while surfing, but also said malicious Web sites were mostly to be found on “the dark side” of the Internet: sites frequented by hackers or those looking for the compromised versions of commercial software known as “warez.”
That may become less true as time progresses, SecureWorks Daymont said.
Legitimate Web pages such as those on MySpace.com or America Online Inc.s site could potentially be used as launching pads for WMF exploits if they are not carefully monitored for malicious images, he said, adding, “Well be dealing with [WMF] for a long time to come … We expect to be responding to this attack for more than a year.”