TechWeb

Microsoft Promises To Patch Worsening Zero-Day Flaw

Dec 29, 2005 (08:12 AM EST)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=175701152


As bleaker details emerged Thursday about the threat posed by a zero-day vulnerability in Windows, Microsoft said it would produce a patch for the flaw but declined to put the fix on a timetable.

In a security advisory posted on its Web site, Microsoft confirmed the vulnerability and the associated release of exploit code that could compromise PCs, and listed the operating systems at risk. Windows 2000 SP4, Windows XP, Windows Server 2000, Windows 98, and Windows Millennium can be attacked using the newly-discovered vulnerability in WMF (Windows Metafile) image file parsing, said Microsoft.

"Upon completion of [our] investigation, Microsoft will take the appropriate action to help protect our customers," the advisory stated. "This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs."

Microsoft rarely goes out-of-cycle to patch a vulnerability -- it's done so only three times since it began a once-a-month patch release schedule in October, 2003; the last time was over a year ago -- and didn't patch early in December when another zero-day bug surfaced, even after experts called on the Redmond, Wash.-based developer to fix fast.

One security vendor told its customers Thursday not to hold their breath waiting for a fix for the flaw.

"Further investigation by the DeepSight Threat Analyst Team has uncovered the possibility that this issue may actually occur according to the WMF file specification, and may therefore be difficult to fix," wrote Symantec in an alert to clients of its early warning service. "If this is the case, a fix for the problem may take some time to develop."

And other details began emerging Thursday that indicated the threat may be worse than originally believed.

"It's really easy to get this thing," said Shane Coursen, a senior technical analyst with Moscow-based Kaspersky Labs. "The exploit will even work through a DOS box."

Rival security firm F-Secure, which is based in Helsinki, Finland, explained how that happens, and pinned blame on Google's Desktop search tool in the process.

"You can get burned even while working in a DOS box!" wrote Mikko Hypponen, F-Secure's chief research officer, in an entry to the company's research blog. "This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?"




Hypponen explained that the test machine had Google Desktop installed; Like other desktop search applications, Google's tool automatically indexes the metadata of images -- including WMF files -- in real time. To do that, it issues an API call to the vulnerable DLL (shimgvw.dll) to extract the metadata. "This is enough to invoke the exploit and infect the machine," added Hypponen. The SANS Institute's Internet Storm Center also tossed in its two cents of bad news.

Although some security firms on Wednesday advised enterprises to block WMF files at the network edge, that may not be a decent defense for long.

"Windows XP will detect and process a WMF file based on its content, and not rely on the extension alone," wrote analyst Chris Carboni on the center's blog. "[That] means a WMF sailing in disguise with a different extension might still be able to get you."

Hackers could simply rename a malicious WMF file with, say, a .gif or .jpg file extension, attach it to an e-mail message, and assuming a user opens the file, infect a system.

At the moment, say the experts, exploits are "only" installing spyware and/or fake anti-spyware software. That's bad enough, said two security firms, including one that specializes in combating spyware.

"Now we're seeing many more using this to install bad stuff," said Alex Eckelberry, president of anti-spyware developer Sunbelt Software. "This is a really bad exploit. Be careful out there."

Websense, a San Diego-based content filtering firm, has posted a video that shows the infection process, and said that it was tracking "thousands" of sites distributing the exploit code from just one host site. Spyware now, said another security professional, but even more malicious software next.

"The technique that is being used can and will be combined with traditional malware like Mytob or Bagle," Stefana Ribaudo, the director of Computer Associates eTrust Security told TechWeb in an e-mail. "We're concerned that in the absence of a patch or even readily followed steps to secure systems, that we could see additional delivery methods such as e-mailing the WMF file (especially with jokes and holiday greetings) and instant messaging.

"Once workers are back in the office after the holiday, we could see an increase [in the exploit],” warned Ribaudo.

(Editor's note: This related story examines how to protect PCs against the new zero-day bug.)