by Playfuls Staff |
29th December 2005
2005 has been a year in which every single month has unveiled yet another security flaw of some software product developed by Microsoft. And these last days of December bring with them the discovery of one of the most serious flaws contained within the Windows XP OS.[more]
Thus, code for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format (.wmf) files is in the wild and is now being exploited on fully patched systems by malicious attackers.
Vulnerable operating systems include a slew of Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition. Also at risk are Windows XP Home Edition and Windows XP Professional, making both home users and businesses open to attack.
According to CNet news, the bug is in Windows' rendering of Windows Metafile (WMF) images, a component that's been patched three times in the last two years, most recently in November by the bulletin MS05-053. The newest flaw, however, is different enough from November's that fully-patched Windows XP SP2 and Windows Server 2003 machines can be compromised.
"This exploit is doing something a bit different," said Shane Coursen, a senior technical analyst with Moscow-based Kaspersky Labs. "It looks like it affects the same DLL as MS05-053, but it's not overflowing the buffer." According to Microsoft's MS05-053 bulletin, the November vulnerability was in an unchecked buffer.
According to the Sunbelt Software blog, "any application that automatically displays a WMF image" can be a vector for infection, including older versions of Firefox, current versions of Opera, Outlook and all current versions of Internet Explorer on all Windows versions.
"This is a zero-day exploit, the kind that give security researchers cold chills," according to Sunbelt's blog. "You can get infected by simply viewing an infected WMF image."
According to F-Secure, Trojan downloaders are taking advantage of the vulnerability to install Trojan-Downloader.Win32.Agent.abs, Trojan-Dropper.Win32.Small.zp, Trojan.Win32.Small.ga and Trojan.Win32.Small.ev. F-Secure also reports that some of the Trojans install hoax anti-malware programs such as Avgold.
According to Ken Dunham, the director of Reston, Va.-based iDefense's rapid response team, many hacker sites are using a working exploit to compromise Windows machines. Attackers need only to cajole users into visiting sites planted with malicious WMF files, or get them to open such image files sent as e-mail attachments.
"WMF exploitation has taken off in the past twelve hours," said Dunham. "It's likely that WMF exploitation will be very successful in the near term."
By default, Internet Explorer automatically opens the vulnerable Windows Picture and Fax Viewer application to display WMF files, making that browser the riskiest to use. But it's not the only threatened browser: Mozilla Corp.'s Firefox, for instance, defaults to the same application, as does Opera, although users must acknowledge a dialog box before opening the image.
Some anti-virus vendors have protections already in place against the exploit. Kaspersky, for example, recognizes and stops the downloader used by the malicious sites to drop code on vulnerable machines, while McAfee and Symantec have already released updates that detect the current crop of attacks.
Mr. Dunham confirmed that the workaround takes care of the WMF problem, but warned that other file formats, such as EMF, might be found to be just as vulnerable once a thorough investigation's complete. (In October, 2004, Microsoft patched a bug in WMF and EMF (Enhanced Metafile) image rendering; Dunham cited EMF as a possible alternate vulnerable file format.)
To disable Windows Picture and Fax Viewer, users should click on the Start menu, select Run, then enter "regsvr32 /u shimgvw.dll" and click OK.
As expected, Microsoft would only acknowledge that it's looking into the problem, the usual response from the Redmond, Wash.-based developer to news of zero-day exploits of its software.
"Microsoft is investigating new public reports of a possible vulnerability in Windows and will continue to investigate the public reports to help provide additional guidance for customers," said a Microsoft spokesperson. "Upon completion of this investigation, Microsoft will take the appropriate action, which may include providing a fix through our monthly release process or issuing a security advisory, depending on customer needs."
And in the mean time, systems get hacked into. Thank you, Microsoft, for ending this year the same way you’ve started it: broken and flawed.
