Just when mass-mailer worms are becoming an endemic but utterly preventable problem, a whole new wrinkle is developing. Mass-mailer worms based on the Microsoft GDI+ vulnerability will probably slip through most perimeter e-mail protection facilities.
There is a client-side patch for Windows prior to XP Service Pack 2, which itself is not vulnerable, and there is some measure of imperfect protection for third-party programs. The third-party issue is probably not so bad in the short term, but the long term isnt pretty.
But the prospect of HTML e-mails—which, though they have no explicit attachments, infect the system and run arbitrary code on them—is extremely troubling to me. Numerous proof-of-concept exploits are appearing and, while I hear at least some of them do not reliably exploit the hole, its just a matter of time before one comes out that is troublesome enough.
Even though the patch is out there and SP2 users are basically safe, its hard to feel optimistic. Look at the last great worm, which I figure to be Sasser and its lesser imitations. This was a worm that could be blocked with a patch or at the firewall, and still it caused havoc. Theres less that can be done on an administrative basis to stop the coming JPEG worm.
But of the administrative possibilities for stopping this worm, the only practical one is to apply the patch. What else can be done? Disable HTML e-mail? Not practical anymore. Have the anti-virus engine scan JPEG files for the problem? Not practical—the performance hit would be atrocious. There really isnt a good workaround for corporate or home users. The truth of the situation is patch or die.
As I pointed out earlier, the problem of third-party programs that redistribute vulnerable copies of the GDIPLUS.DLL file is a difficult one, but I just dont see it as having the destructive potential of the browser/e-mail side of the problem.
As Tom Liston pointed out in an open letter to Microsoft, the companys scanning tool for vulnerable programs takes a very narrow view of the problem. It doesnt look generically for the problem. I myself found a better scanning tool; I call it “DIR C:GDIPLUS.DLL /S.” It finds all copies of GDIPLUS.DLL on the system and displays their dates.
The file date isnt a guarantee that a file is or isnt vulnerable, and I dont know if you can just copy new, fixed versions to the locations of the vulnerable ones.
Unlike with a browser or e-mail client, most third-party GDIPLUS programs dont work with arbitrary images from arbitrary sources (this is my guess, but I feel good about it). So how do you get the exploit to the images that third-party applications use?
The answer is expensive in terms of network and CPU time, but whats a worm to do other than propagate itself? The worm needs to search out on the computer on which its running and the network to which it is attached for JPEG files and modify them to include the exploit. This would require the user of the exploited computer to have write privileges to these files, and it would probably leave an audit trail of the modification, but who cares? Its the user of the computer, not the author of the worm, who gets in trouble.
This nightmare worm could end up making the JPEG format unusable in the short term, but in as long as it would take to replace it the patch could be widely deployed. Its a no-win situation.
Moral of the story: Patch early and often. Get around to the Microsoft and third-party programs when you can, but more importantly get the operating system patched.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer