While malicious software that exploits an unpatched vulnerability in Microsoft Corp.’s Windows operating system is by now the most widely reported threat on the Internet, Microsoft continues to urge customers to wait another week for its official security update.We want to make sure the quality is there before releasing an update.John Weigelt>Text
While WMF attacks are on the rise, they do not appear to be widely infecting corporate customers, according to Santa Clara, Calif.-based security software vendor McAfee Inc.
Microsoft’s security update for the WMF vulnerability is scheduled to be released on January 10 and the Redmond, Wash.-based company is cautioning customers (Microsoft Security Advisory) to wait until then.
Here in Canada, a senior Microsoft executive reiterated that message.
“We can’t endorse third-party updates,” said John Weigelt, National Technology Officer at Microsoft Canada. “We have our software security incident response process underway. We want to make sure the quality is there before releasing an update.”
Weigelt said Microsoft’s customers have requested an orderly process and monthly update schedule to make it easier for their operations management folk to analyze and test patches. “We previously had a release cycle where we simply released an update and let people know, but that didn’t allow our customers to have a repeatable process.”
The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability. However, as one Canadian analyst points out, the number of corporate users actually affected so far is relatively low.
“Only a small percentage of organizations have been caught,” says Joe Greene, vice-president of IT security research at Toronto-based IDC Canada. “That indicates some users are getting more educated – people are paying more attention to what’s going on from a security perspective.”
That doesn’t mean the flaw should be downplayed, Greene cautioned. He said Microsoft’s decision not to release the update until Jan. 10 says two things – “this is a really serious flaw, and Microsoft wants to make sure it gets it right.”
The problem is in the way various versions of Windows handle graphics in the WMF (Windows Metafile) format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. Microsoft published a first security advisory on Dec. 28, saying it had received notification of the problem on Dec. 27 and was investigating whether a patch was necessary.
On Tuesday, Microsoft updated the advisory to say it had completed development of its own patch, and was testing it for release the following week.
The company said it carefully reviews and tests its security updates, and offers them in 23 languages for all affected versions of its software simultaneously.
However, the chance of running into a malicious WMF file is climbing, and with it the danger of running an unpatched system. Already, one security Web site has had to warn its readers to stay away: the owners of the knoppix-std.org site warned in a forum posting that hackers had modified the site so as to attempt to exploit the vulnerability on site visitors’ machines.
There is “a lot of potential risk” associated with the vulnerability, according to Jay Heiser, a research vice president with Gartner Inc. and the company’s lead analyst on information security issues. “If it can be exploited in any significant way, it would be an extremely big risk.”
“It’s a race between Microsoft and the exploit community,” he said.
The bad guys had a head start in that race. Security researchers at Websense Inc. first spotted malicious Web sites using the exploit on Dec. 27, but those sites may have been doing so as early as Dec. 14, the company said.
On Dec. 28, Microsoft released its first security advisory acknowledging a potential problem.
Over the weekend, it updated this to suggest a way in which users could reduce the risk by disabling an affected part of the OS, called shimgvw.dll. Microsoft warned that the fix has the side effect of stopping the Windows Picture and Fax Viewer from functioning normally. Others report that it also stops Windows Explorer from showing thumbnails for digital photos.
Security researchers outside Microsoft had other ideas: rather than disable shimgvw.dll, they would modify it so that only the functionality considered dangerous was blocked.
By Dec. 31, programmer Ilfak Guilfanov had developed an unofficial patch to reduce the danger of attack, without impairing Windows’ graphics functions. His patch quickly won the support of security researchers including The SANS Institute’s Internet Storm Center (ISC) and F-Secure Corp.
Mikko Hypponen, chief research officer at F-Secure, feels safe recommending the Guilfanov patch for several reasons.
“We know this guy. We have checked the code. It does exactly what he says it does, and nothing else. We’ve checked the binary, and we’ve checked that the fix works,” he said.
He had one final vote of confidence: “We’ve installed it on all our own computers.” But IDC Canada’s Joe Greene advises organizations to get good advice from third party sources before proceeding with the unofficial patch. “I think anyone is justified in releasing a patch if it’s going to help,” he says. “I’m sure large organizations are going to test that patch anyways. People are adults, they can do it or not.”
Another analyst doesn’t think installing the unofficial patch is such a good idea for businesses. “We wouldn’t recommend it, for testing reasons,” said Sophos PLC’s Senior Security Consultant Carole Theriault.
One of the hidden dangers of the WMF vulnerability is that things are not always what they appear. Usually, WMF files can be identified by their .WMF file extension, and blocked as a precaution, but attackers may choose to disguise malicious files simply by giving them another image file suffix, such as .JPG, because the Windows graphics rendering engine attempts to identify graphics files by their content, not their name.
That was the case with a file with the title “happynewyear.jpg” that began circulating in e-mail messages on Dec. 31. If opened on a Windows machine, the file attempts to download and install a backdoor called Bifrose.
As a consequence, said Theriault, businesses should keep existing antivirus protection up to date and concentrate on blocking unsolicited mail while waiting for the Microsoft patch, as this may help to screen out attacks. They should encourage users to practice safe computing by only visiting reputable Web sites and taking care with what they download, she said.
— With files from Robert McMillan, Computer World, US