Network News

X My Profile
View More Activity

New Exploit for Unpatched Windows Flaw

It appears we will be ringing in the new year with a new and improved exploit that online miscreants can use to attack an unpatched Microsoft Windows flaw and install spyware, viruses and other dangerous digital intruders.

The latest bit of malware takes advantage of the same Windows Metafile (files ending in .wmf) security hole that Security Fix warned about earlier this week, the one where Windows users can get infected just by clicking on a specially crafted link in an e-mail or visiting a Web site that hosts the malicious code.

The part that's different about this attack is that it's designed to generate slightly different program code each time the exploit is run -- creating a new threat with a random file size, non-WMF file extension (like .jpeg) and other variable tricks. The folks over at the SANS Internet Storm Center have more detailed information about the new exploit if you're interested.

This is a big deal because so far -- without a patch from Redmond to remedy this problem -- the major antivirus vendors have been the first lines of defense against this attack, and they have relied mainly on adding new signatures to their software to detect the latest threats each time a new one appears. But by changing the profile of the attack slightly with each iteration, the new exploit's random attack code has a far greater chance of slipping past software shields.

SANS said the random garbage added onto any attack code generated with the new exploit could make it very hard for anti-virus companies to develop signatures to detect the new threats.

Last week, I wrote about tests run by Andreas Marx of AV-Test.org that looked at the response time of various antivirus products to some of the largest computer worm outbreaks of 2005. This morning, Marx sent me an e-mail listing each of the products that now detect all 73 known versions of the old WMF exploit: those products included AntiVir, Avast!, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO, eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman, Panda, Sophos, Symantec, Trend Micro, and VirusBuster.

But, Marx said, "It looks like that some of the 100% companies have simply added detections for all of the files I've sent out, without actually have a generic detection in place, but instead of this, 73 different signatures to detect all 73 different files. That's not good."

Not good indeed, given the morphing abilities of this new exploit. I suspect the 2006 work year will begin a bit too soon for many network and computer defense professionals out there.

By Brian Krebs  |  December 31, 2005; 5:38 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: US-CERT: 5,198 Software Flaws in 2005
Next: Unofficial Patch for Windows Flaw

Comments

There has been an unofficial patch developed for this vulnerability which could be used as a temporary solution. F-Secure mentioned this in their blog. I installed this patch on my Windows XP SP2 machine and found no problems with it. It may be a good idea to think about using this patch until Microsoft gets off their...I mean until Microsoft release an offical patch for this.

Use at your own risk (open to interpretation)

http://www.f-secure.com/weblog/archives/archive-122005.html#00000756

http://www.hexblog.com/2005/12/wmf_vuln.html

I am seriously thinking of installing linux on my workstation that I use for work. I work in Information Security and can't take a chance of my own system getting compromised and this threat has made me more afraid than most in the recent past.

Posted by: David Taylor | December 31, 2005 6:08 PM | Report abuse

Dear Mr. Brian Krebs

I'm sure for many of us who have heard and read your article are appreciative of your heads up.

I however have to wonder what about the people who do not have or bought Windows XP OEM version where their service pack 1 is imbedded and are unable to get when provided the update to eliminate this menacing worm? Most all retail computers have either Dell, Hewlett Packard, Gateway and Compaq OEM software that have Service Pack 1 imbedded and any updates from Windows cannot be installed, which is not only unfair, but look at the many unsuspecting people who may or may be able to download the patch.

I sincerely hope this too will be resolved, but might be worth looking into seeing the retail stores will never tell you about this issue.

Tim Martinez

P.S. Microsoft has yet to mention anything about this issue on their site that I've looked for.

Posted by: Tim Martinez | January 2, 2006 10:53 AM | Report abuse

Are Macs affected?

Posted by: JTGates | January 2, 2006 5:26 PM | Report abuse

As a longtime Windows user, I'm not surprised by this new vulnerability. But, I would like to give a message to Bill Gates: The next PC that I obtain will have Linux.

Posted by: Parris | January 2, 2006 11:10 PM | Report abuse

I use a dialup internet service.After waiting 2 minutes for all of the advertising garbage to load on your page,I find that your link to the patch is no good.You people aren't any better than M$.

Posted by: Anonymous | January 4, 2006 12:21 AM | Report abuse

>> Are Macs affected?

No! :-)

Posted by: Sherlock | January 4, 2006 1:30 AM | Report abuse

Macs suck. 'Nuff said.

Posted by: guest | January 4, 2006 1:04 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company