Hackers take advantage of Windows WMF flaw

Hackers take advantage of Windows WMF flaw

Summary: Exploits for the Windows Metafile vulnerability are coming 'fast and furious', say experts, as businesses are warned to educate their users

TOPICS: Security

Hackers are stepping up their attempts to exploit the WMF vulnerability that was discovered within Microsoft Windows last year, experts warned on Tuesday.

Security experts say the vulnerability is potentially very dangerous as conventional antivirus software and IDS signatures do not recognise malicious code that exploits it.

Exploit code is hidden within seemingly normal JPEG, GIF, or Bitmap files which can be spread through emails or instant messages. These files can also be embedded within a Web page, and security vendor Websense has warned that users need only visit a compromised or fake website to be attacked.

"The sites number in the hundreds, and they're still coming out fast and furious," said Dan Hubbard, senior director of security and research at Websense. "The potential for a major outbreak is there. There's no patch from Microsoft, and there are a number of kits online that allow easy exploit building."

Businesses should be aware that employees need educating about the danger from WMF exploits, said Hubbard, advising IT professionals to block picture files and restrict administrative access.

"Pictures are not seen as being dangerous by general users, and systems administrators don't normally block WMF files in email. You need to create very restrictive filters at your email gateway, and err on the side of caution," Hubbard explained.

The Internet Storm Center has advised businesses to use an unofficial patch developed by security software developer Ilfak Guilfanov, because the official Microsoft patch will not be available until next Tuesday.

"The Microsoft WMF vulnerability is bad. It is very, very bad." said Tom Liston of the Internet Storm Center. "This is a bad situation that will only get worse."

"On December 31st, we received word that a "new and improved" version of the WMF exploit had been published. This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures. Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act."

A Microsoft spokesperson recommended that businesses wait for a week for the official patch, as it could not guarantee third party updates would be effective.

"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006. Microsoft cannot provide assurance for independent third party security updates," Microsoft said.

The Internet Storm Center felt that businesses could not afford to wait for the official patch.

"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," said Liston.

Systems administrators can also work around the problem by unregistering a file called shimgvw.dll.

"The very best response that our collective wisdom can create is contained in this advice — unregister shimgvw.dll and use the unofficial patch," said Liston.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Sorry but the article is wrong....
    Because it afects wmf files, you can rename it to GIF or jpg, but is still a wmf file... it doesn't afects a 100% jpg file... because the vunerabilty is due to SETABORTPROC
  • You KNOW, Microsoft will use this flaw to leverage users into buying new software. They will ONLY patch Windows XP, and anyone using Windows 2000 or older, who wants their systems fixed or made more secure will be FORCED to buy WIndows XP.
    In alot of cases this will force people to have to buy new hardware.

    So far Microsoft has seen surges in sales of Windows XP for every flaw and exploit that has come out. THIS IS VERY WRONG! Microsoft should not be rewarded for poor programming. What's to stop them from deliberately creating flaws and vulnerabilities to increase sales?

    The LAW needs to step in and FORCE Microsoft to patch "EVERY" version of Windows that is affected by this flaw... AT NO COST TO THE USER.
  • W2K users can still use the unofficial patch, can't they? So I'm guessing MS would have nothing to gain by not patching W2K.

    Ah yes, the unofficial patch is indeed a wonderful demonstration of the bug-fixing power of a Community. Imagine what could be achieved if such talent could be harnessed and channelled. Perhaps the Community could write an entire Operating System...?
  • How can you trust a company like this for your business? It amazes me that companies continue to upgrade to the latest software and M$ STILL assumes no responsibility for their inferior products. It is high time OS makers take the blame for poorly written software, and hang that EULA where the sun don't shine.