News Stay informed about the latest enterprise technology news and product updates.

Researchers warily watch for Microsoft GDI exploits

Symantec, US-CERT and other security organizations are tracking attempts to exploit the GDI flaw Microsoft addressed last week in its MS08-021 patch bulletin.

Security researchers are urging IT shops to install Microsoft's latest batch of patches as quickly as possible to head off attempted attacks against some flaws, most notably the GDI vulnerabilities Microsoft addressed in its MS08-021 bulletin.

Analysis of the images has shown that although they appear to be malicious, they do not contain enough data in the associated image property to sufficiently trigger the vulnerability.
Symantec Alert,

Symantec Corp. has raised its ThreatCon to Level 2 in response to in-the-wild exploits against the GDI flaws, which attackers could exploit to hijack targeted machines by tricking users into opening malware-laced .emf or .wmf files. Microsoft labeled the update critical for those running Microsoft Windows 2000 Service Pack 4 and all supported releases of Windows XP, Windows Server 2003, Vista, and Windows Server 2008.

Symantec defines a Level 2 threat as one in which knowledge or the expectation of attack activity is present, without specific events occurring or when malicious code reaches a moderate risk rating. The Cupertino, Calif.-based security vendor issued an alert to customers of its DeepSight threat management service after observing exploit attempts via its honeynet.

One item researchers are watching is proof-of-concept code publicly posted to the site that successfully targets Chinese editions of Windows 2000 Service Pack 4 (SP4).

Latest Microsoft updates:
Microsoft releases April trove of patches: Windows, Office and IE all have patches deemed critical by Microsoft this month.

Inside MSRC: Microsoft gives guidance on security updates: Microsoft's Bill Sisk takes the reader through the software giant's April 2008 security bulletins.

"At least three different sites are hosting [malicious] images," Symantec said in its alert. "Analysis of the images has shown that although they appear to be malicious, they do not contain enough data in the associated image property to sufficiently trigger the vulnerability."

Despite that, Symantec said it has received reports that reliable exploitation is occurring in the wild. Users are advised to apply the patches immediately and IT administrators should filter activity to the following IP addresses and/or domains: * (hxxp://, * (hxxp://, and *

The threat was considered serious enough for the United States Computer Emergency Readiness Team (US-CERT) to post an alert on its website.

The Bethesda, Md.-based SANS Internet Storm Center also posted a warning on its website. "If you haven't already patched do so now and don't forget to remind your users not to open image files," the storm center's Deborah Hale wrote.

The GDI issues were among several critical security holes Microsoft addressed in its April 2008 patch rollout.

Bill Sisk of the Microsoft Security Response Center has cited MS08-021 as one of the most important updates for the month.

While attempted exploits bear watching, it is not something IT administrators get overly anxious about. Such activity always follows Microsoft's monthly patch release, and many IT shops have installed layers of security in their environments that allows for an orderly patch test and deployment process.

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.