If testing is successful, Microsoft will release a patch for an extremely critical Windows Meta File glitch as part of its regularly scheduled monthly security update next week. But security experts aren't so sure IT administrators should wait that long to take action.
"For those in academic environments, this may actually work in your favor as students will be coming back after the supposed release date," Scott Fendley, a handler for the Bethesda, Md.-based SANS Internet Storm Center (ISC), said Tuesday on the organization's Web site. "For corporate environments, IT staffers are going to have to make a risk assessment. What would be [the] cost to your company if you are compromised between now and Jan. 10 if the update is released as mentioned? Can you really afford to do nothing? Are you willing to gamble that unregistering the DLL is sufficient, or do you go with defense-in-depth and apply the unofficial patch? You make the choice."
The Redmond, Wash.-based software giant announced its plan for a Patch Tuesday fix in an updated advisory on its TechNet site.
"Microsoft has completed development of the security update for the vulnerability," the vendor said. "The security update is now being localized and tested to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing."
Microsoft added that the update will be released worldwide simultaneously in 23 languages for all affected versions of Windows. The company stressed that "based on strong customer feedback, all Microsoft's security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time."
Though it acknowledged that the glitch is serious and attacks have been attempted, Microsoft said its intelligence sources indicate that the scope of the attacks are not widespread. "In addition," the company said, "antivirus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures.
A major headache
The vulnerability, a design flaw in the way Windows handles its image files, could become a major headache for IT professionals this week as more refined exploits are released and enterprise users return from a long holiday break.
The Internet Explorer browser automatically views an infected image without warning, thus triggering the exploit. However, other competing browsers, such as Mozilla Foundation's popular Firefox open source browser, is also at risk -- its protections do little to prevent an infected image from opening, researchers report.
The ISC has taken the unusual step of endorsing an unofficial fix available via Russian programmer Ilfak Guilfanov's blog. "Browsing the Web was not safe anymore, regardless of the browser," Guilfanov wrote. "Microsoft will certainly come up with a thoroughly tested fix for it in the future, but meanwhile I developed a temporary fix -- I badly needed it."
The programmer said his patch doesn't delete any functionality from the system, so all pictures will continue to be visible. He also cautioned that once Microsoft comes through with a patch, administrators should uninstall his fix. "This is a DLL which gets injected to all processes loading user32.dll," he explained. "It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore.
"I can imagine situations when this sequence is useful," he added. "My patch completely disables this escape sequence, so please be careful. However, with the fix installed, I can browse files, print them and do other things."
AV firms remain vigilant
As users await the fix from Microsoft, security firms are continuing to watch for new attacks. Finnish security firm F-Secure, for example, has warned of a new worm that arrives in instant messages and directs gullible users to a malicious Web site that exploits the flaw.
The worm burrows through MSN Messenger lists, appears as a message from familiar sources and asks them to visit a site containing this partial file name: /xmas-2006 FUNNY.jpg, according to F-Secure's blog. The Helsinki-based company a day earlier warned of an e-mail containing an infected image called HappyNewYear.jpg. "When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com," according to the blog. "Admins, filter this domain at your firewalls. It's going to get worse."
Cupertino, Calif.-based AV firm Symantec Corp. has kept its ThreatCon at Level 2 in response to the threat. In an e-mail to customers of its DeepSight Threat Management System Tuesday, the firm noted that it continues to monitor new attempts to attack vulnerable systems.
"Active exploitation of this issue has been, and continues to be, observed," Symantec said. "A primitive instant messenger worm has been observed that employs this vulnerability as a propagation vector. Additionally, there are reports that exploits for this issue are getting spammed to e-mail addresses. It is believed that exploitation of this issue will continue to increase."
The firm added that "administrators should be aware that many third party applications that use the vulnerable Windows component to handle WMF files can provide an alternate attack vector to target this issue."
For example, Symantec said, the vulnerability is exposed when malicious WMF file attachments are processed using Lotus Notes. "Administrators should be aware that if a malicious WMF file is renamed as an alternate graphical file type such as .GIF, .JPG, or .PNG, the GDI library will still process the malicious file as a WMF file and the vulnerability will be triggered," the firm added.
News Director Anne Saita contributed to this report.