By Larry Greenemeier
Jan 4, 2006
Concerns over the lack of a Microsoft-issued patch have pushed the
Windows Metafile/Zero-Day bug to top of mind, surpassing even
tomorrow's much-anticipated Sober worm attack.
The lag time between the Dec. 27 discovery of the WMF vulnerability
and Microsoft's planned Jan. 10 patch availability has forced IT
security departments to find alternative means for protecting their
systems and prompted a non-Microsoft developer to create a patch that
others could use.
All of this serves to damage Microsoft's reputation as a company that
can secure its own products=97a reputation that only recently was
beginning to improve after years of being dragged through the mud.
Experts are divided over whether it's wise to use Ilfak Guilfanov's
Hexblog patch to fix the WMF vulnerability, which could allow
attackers to use WMF images to execute malicious code on their
victims' computers. Some say it's a necessary measure to protect
systems until the official Microsoft patch arrives; others say it's
not worth the extra work to patch twice or to take the risk of using a
"We're advising against this third-party patch," says Gartner VP and
research fellow John Pescatore. Even if the patch works perfectly,
users will have to modify their Windows environments when they deploy
the patch, and then uninstall the patch by next Tuesday, leaving two
opportunities for something to go wrong. Gartner advises that
companies should employ workarounds that ensure that their
URL-blocking capabilities are up to date, that all WMF files are
blocked, and that they expedite testing and deployment of Microsoft's
patch when it becomes available.
But the SANS Institute's Internet Storm Center recommended Tuesday
that users not wait for Microsoft's fix, but unregister a vulnerable
Dynamic Link Library, or DLL, executable program modules in Windows
and apply Guilfanov's patch.
Either way, the WMF vulnerability has been widely acknowledged as a
major security threat. The vulnerability is already being exploited,
and Symantec has raised its ThreatCon to a Level 3, out of four. The
company, which last placed a ThreatCon Level 3 in July 2004 because of
MyDoom.M, has expressed concern over the window of time Microsoft has
allowed between discovery of the vulnerability and the planned
issuance of a patch. Symantec recommends that companies instruct their
users to avoid opening unknown or unexpected E-mail attachments or
following Web links from unknown or unverified sources, and turn off
preview features on E-mail programs to prevent infection from HTML
E-mails. The WMF vulnerability affects a number of different versions
of Windows XP, Server 2003, ME, 98, and 2000, as well as some versions
of Lotus Notes.
Microsoft claims, via its Security Response Center blog, that the
company is continuing to work on finalizing a security update for the
vulnerability in WMF. In the blog, Security Response Center operations
manager Mike Reavey acknowledges that in Microsoft's effort to "put
this security fix on a fast track, a pre-release version of the update
was briefly and inadvertently posted on a security community site."
Microsoft is recommending its customers disregard the posting and wait
until a fully tested patch is issued next week.
Microsoft's response to the vulnerability has been particularly poor,
says the assistant VP of IT security for a global financial-services
firm. While Microsoft has chosen to patch the WMF vulnerability during
its normal Patch Tuesday download, this comes well after it should
have. "They have historically released patches on special occasions,
and this is clearly one of those occasions," she says, preferring to
speak anonymously on the topic of an unpatched vulnerability. She
added that her company has "wasted countless man-hours" to mitigate
the chance of being hit by an exploit, but that no amount of
workarounds can fully replace a patch from the vendor.
Third-party patches are not a new concept, but the one issued for the
WMF vulnerability is particularly troubling because it raises the
question of why Microsoft couldn't issue its own patch in a timely
fashion. In fact, the availability of Guilfanov's Hexblog patch makes
Microsoft look even worse, the financial-services assistant VP of IT
security says. "If a third party can put out a stable patch, Microsoft
should have been able to," she adds. "It shames Microsoft."
While the popular Hexblog patch=97Guilfanov's Web site was down on
Wednesday morning, possibly because of bandwidth issues=97is by all
appearances a solid piece of coding, the financial-services firm won't
download the patch because of the risk of implementing a patch that's
not been properly tested, "which it isn't because it's not coming from
Microsoft," the assistant VP adds.
As long as Windows systems remain unpatched, companies are at risk for
WMF exploits whenever their employees browse the Internet. "There's no
way for you to know whether a site is dangerous for a WMF exploit,"
says Ken Dunham, director of VeriSign iDefense's rapid response team.
Even if companies set their defenses to strip out all executable files
from incoming E-mails and instant messages, attackers can disguise
their executables to look like a JPG or GIF file.
As of Jan. 2, VeriSign iDefense had found at least 67 hostile sites
containing exploits against the WMF vulnerability, and the company is
investigating another 100 sites. When users visit these malicious
sites, their computers can be infected with Trojans, adware, spyware,
or files that use them as a base for sending out spam to other
Unlike the Sober worm, which spreads spam with politically charged
messages but tends not to damage systems, WMF vulnerability-inspired
spam is much more malicious. VeriSign iDefense captured a WMF culprit
on Dec. 28 that used the output.gif file to spam messages over the
Internet from a company called Smallcap-Investors, which promote a
Chinese pharmaceutical company called Habin Pingchuan Pharmaceutical.
The spam message was sent out as a GIF file in an apparent attempt to
evade spam filters. Using spam as the underpinning of a stock "pump
and dump" scheme, Smallcap encouraged users to buy cheap stocks. As is
typical in such a ruse, once the fraudster has raised the value of the
stock, he or she sells off the stock, making it worthless to the
victims who've been duped into investing.
Another WMF exploit came in the form of the HappyNY.a worm, which
looks to a user like a JPG file but is actually a malicious WMF file.
The HappyNY.a worm contains Nascene.C code, which attempts to exploit
the WMF vulnerability and fully compromise a user's computer.
If users come to depend too much on third-party patches to avoid such
scams, it could set a dangerous precedent for security. "You'll see
phishing E-mails that say they offer volunteer patches," Pescatore
says. "If people starting using these sites that are not from a
vendor, this could be a whole new problem."
Concerns over the proliferation of Microsoft-based phishing scams come
as an Iowa man recently pleaded guilty to computer fraud charges
arising from a phishing scheme conducted from January 2003 through
June 2004 on Microsoft's MSN Internet service. The scam involved
sending E-mail falsely claiming that MSN customers would receive a 50%
credit toward their next bill.
Meanwhile, the buzz around the WMF vulnerability has helped eclipse
concerns over the upcoming Sober worm threat. "All of the antivirus
guys have put out their signature updates" for the latest incarnation
of Sober, and "the payload has been analyzed, so you know what DNS
servers it's going to call," Pescatore says. The most important things
for IT security professionals to realize is that there is a patch for
Sober and that, while the attacks will start by Jan. 5, there will
likely be new variants of Sober each subsequent week.
On Jan. 5, the code contained in the Sober worm will start updating
and sending itself out to thousands, if not millions, of computers,
adds Dunham. So far, the Sober attacks have been more motivated at
spreading political and social messages rather than delivering
malicious payloads. "Sober has the ability to download code, but the
attackers haven't done this," he adds. "Instead, they use it to send
spam and clog E-mail servers and promote their agenda."
Signature-based antivirus programs won't have any problems detecting
known variants of Sober. New variants will prove a bit trickier, and
companies should make sure executable and JPG attachments are stripped
out of E-mails traversing their networks, says Shane Coursen, a senior
technical consultant for antivirus software maker Kaspersky Lab. For
this latest generation of Sober, companies will rely less on
signature-based antivirus defenses and more on those that employ
heuristic routines that flag strange behavior on the network.
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.