Security threats Toolkit

Hackers take advantage of Windows WMF flaw

Tags:
GIF,
Exploit Code,
WMF

Tom Espiner ZDNet.co.uk

Published: 03 Jan 2006 18:20 GMT

Hackers are stepping up their attempts to exploit the WMF vulnerability that was discovered within Microsoft Windows last year, experts warned on Tuesday.

Security experts say the vulnerability is potentially very dangerous as conventional antivirus software and IDS signatures do not recognise malicious code that exploits it.

Exploit code is hidden within seemingly normal JPEG, GIF, or Bitmap files which can be spread through emails or instant messages. These files can also be embedded within a Web page, and security vendor Websense has warned that users need only visit a compromised or fake website to be attacked.

"The sites number in the hundreds, and they're still coming out fast and furious," said Dan Hubbard, senior director of security and research at Websense. "The potential for a major outbreak is there. There's no patch from Microsoft, and there are a number of kits online that allow easy exploit building."

Businesses should be aware that employees need educating about the danger from WMF exploits, said Hubbard, advising IT professionals to block picture files and restrict administrative access.

"Pictures are not seen as being dangerous by general users, and systems administrators don't normally block WMF files in email. You need to create very restrictive filters at your email gateway, and err on the side of caution," Hubbard explained.

The Internet Storm Center has advised businesses to use an unofficial patch developed by security software developer Ilfak Guilfanov, because the official Microsoft patch will not be available until next Tuesday.

"The Microsoft WMF vulnerability is bad. It is very, very bad." said Tom Liston of the Internet Storm Center. "This is a bad situation that will only get worse."

"On December 31st, we received word that a "new and improved" version of the WMF exploit had been published. This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures. Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act."

A Microsoft spokesperson recommended that businesses wait for a week for the official patch, as it could not guarantee third party updates would be effective.

"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006. Microsoft cannot provide assurance for independent third party security updates," Microsoft said.

The Internet Storm Center felt that businesses could not afford to wait for the official patch.

"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," said Liston.

Systems administrators can also work around the problem by unregistering a file called shimgvw.dll.

"The very best response that our collective wisdom can create is contained in this advice — unregister shimgvw.dll and use the unofficial patch," said Liston.