Finnish security firm F-Secure announced today a new worm that arrives in instant messages and directs gullible users to a malicious Web site, courtesy of the Windows Meta File flaw that made headlines last week. Meantime, security programmers continue to analyze the exploit to drum up their own fixes until Microsoft releases one.
The vulnerability, a design flaw in the way Windows handles its image files, stands a chance of becoming a huge headache this week as more refined exploits are released and enterprise users return from a long holiday break.
Originally designed to assist when a print job needed to be canceled during spooling, the function has been rigged by malicious coders to compromise machines running Windows XP (including those with the SP 2 patch installed), ME, 2000 and Windows Server 2003 by hiding malicious code on a Web page or e-mail containing .wmf files. Vendors reported last week that the flaw is primarily being used to sneak spyware onto computers.
Some security experts initially downplayed the chance of an epidemic, given users must manually visit an infected page and the attackers must host the site. But exploit writers continue to find new ways to draw users to these vulnerable images, including what appears to be a worm burrowing through MSN Messenger lists, appearing as a message from familiar sources asking them to visit a site containing this partial file name: /xmas-2006 FUNNY.jpg, according to F-Secure's blog. The Helsinki-based company a day earlier warned of an e-mail containing an infected image called HappyNewYear.jpg. "When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com," according to the blog. "Admins, filter this domain at your firewalls. It's going to get worse."
The Internet Explorer browser automatically views an infected image without warning, thus triggering the exploit. However, other competing browsers, such as The Mozilla Foundation's popular Firefox open-source browser, also is at risk since it's protections do little to prevent an infected image from opening, researchers report.
SANS's Internet Storm Center (ISC) on Monday took the unusual step of endorsing an unofficial fix being distributed via Russian programmer Ilfak Guilfanov's blog. "Browsing the Web was not safe anymore, regardless of the browser," Guilfanov wrote. "Microsoft will certainly come up with a thoroughly tested fix for it in the future, but meanwhile I developed a temporary fix - I badly needed it."
The programmer said his patch doesn't delete any functionality from the system, so all pictures will continue to be visible. He also cautioned that once Microsoft comes through with a patch, administrators should uninstall his fix. "This is a DLL which gets injected to all processes loading user32.dll," he explained. "It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore.
"I can imagine situations when this sequence is useful," he continued. "My patch completely disables this escape sequence, so please be careful. However, with the fix installed, I can browse files, print them and do other things."
ISC diary handlers also note other researchers racing to protect machines ahead of exploits such as the IM worm F-Secure announced on its blog today. Guilfanov's, as of now, appeared most popular. Handler Marcus Sachs also reminded enterprise security administrators to be careful when installing any fix. "Be sure to test the patch above before deploying it across an enterprise," he wrote. "While the handlers (including me) are running it on our own personal systems and it works as advertised, we can't vouch for any special software you might have in your own systems that could be disabled after the patch is installed."