News Stay informed about the latest enterprise technology news and product updates.

Experts express concern over WMF patch delay

Security experts agree that a large-scale exploit is possible while users wait for next week's Windows Meta File patch. In the meantime, experts advise managers to educate users about what sites they should and shouldn't visit.

Microsoft's plans to hold the release of an urgently needed patch until next Tuesday does not sit well with security experts.

The fix is for an extremely critical Windows Meta File glitch involving the way Windows handles its image files. It could become a major headache for IT professionals this week as exploits are released and enterprise users return from a long holiday break.

Security firms are urging IT managers to take serious precautions in the next few days while they wait for the patch.

Several companies have raised their alert and threat levels in response to the lapse in time before the patch is released. Cupertino, Calif.-based antivirus firm Symantec Corp. has raised its ThreatCon status to Level 3 on a 1-to-4 scale. The firm has not placed its threat level at 3 since July 2004 during the MyDoom attack.

"What makes this special is there are a lot of systems that could be exploited," said Jonah Paransky, a senior manager with Symantec. "Will there be a widespread attack? We don't know. Could there be one? Certainly."

More on the WMF flaw

Microsoft plans WMF fix next week  

New WMF worm in wild; unofficial fixes circulating  

Windows image flaw now 'extremely critical'
Pointing to the quick nature of exploits once a vulnerability has been found, Paransky said waiting for four or five days for a patch is an eternity in some enterprise environments. "The average time between a vulnerability ID and a patch from a vendor is 42 days," he said. "The average time for an exploit to be released in response to a vulnerability is six days."

Other antivirus experts are also urging vigilance for IT administrators. Carole Theriault, a security consultant with U.K. firm Sophos Plc, said there are already a few hundred exploits trying to take advantage of the glitch. The exploits are arriving in e-mail, instant messaging and through Web browsing. Sophos has moved its threat level warning from low to medium-high.

"The likeliest scenario is that you would receive an unsolicited e-mail, which would then attempt to entice you to click on a link," said Theriault. "The link would bring you to a compromised Web page, which would attempt to exploit the vulnerability."

Finnish security firm F-Secure Corp. has raised its Radar Alert to its second highest level. Mikko HyppÖnen, the company's antivirus research director, was hesitant to get into scenarios because of the massive risk. HyppÖnen said he was especially concerned because almost all Windows machines are vulnerable.

"We're afraid of an e-mail worm that would use image files to spread. If that would happen, it would be a massive, global outbreak almost immediately," he said.

SANS Internet Storm Center (ISC) in Bethesda, Md., is hosting an online poll to gauge how users have been impacted so far by the WMF vulnerability. According to results on Wednesday, 11% of respondents had already been hit by some infection. However, the large majority, 78%, had not seen an exploit yet.

"Given that the vulnerability can spread through e-mail and does not require any user interaction, there is a real potential for a mass outbreak via e-mail," said SANS chief research officer Johannes Ullrich. "I don't think a 'blaster type' attack is possible, but something like 'zotob' is possible."

Further illustrating the seriousness of the threat, the ISC has taken the unusual step of endorsing an unofficial fix available via Russian programmer Ilfak Guilfanov's blog.

While they wait for Tuesday's fix, antivirus experts advise managers to educate users about what sites they visit and what e-mail attachments they open. Symantec's Paransky said managers should go a step further and block access to untrustworthy sites if possible.

"This is not a time for users to go plumbing the depths of the Internet," said Paransky. It's like dangerous neighborhoods -- there are times when you may feel safe visiting them. But right now, don't go there."

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.