Network News

X My Profile
View More Activity

Update on the Critical Unpatched Windows Flaw

Security Fix warned readers on Wednesday about thousands of malicious Web sites that are using an unpatched Windows security hole to install spyware, spam-ware and other programs on computers when their owners merely browse to one of these sites. As serious as this situation is -- and it is hard to find a recent Windows threat as potentially dangerous as this one -- the problem may be more dire than initial reports suggested.

For one thing, the vulnerability being exploited -- a flaw in the way the operating system renders Windows Metafile or "WMF" image files -- affects even fully patched Windows systems, and not just Windows XP and Windows 2003 Web server, as previously thought. According to an advisory published by Microsoft late Wednesday, the flaw is present in every Windows version dating back to Windows 98.

Wednesday's Security Fix post on this threat was picked up by geek news site Slashdot, where several readers poo-pooed the exploit, saying that WMF files are hardly used anymore. Whether they are or not is beside the point: According to Symantec, the flaw can be exploited using more familiar image file extensions, such as ".gif" or ".jpg".

What's more, this vulnerability could be exploited by causing an infected image file to be displayed in any software that relies on the flawed Windows WMF rendering engine. Put simply, that means the exploit would work if an user merely viewed one of these images in the preview pane of an e-mail application like Microsoft Outlook, or even one cut-and-pasted into an attached Microsoft Word document.

Back when the Slammer worm emerged in Jan. 2003, it took a while to figure out why so many computers were affected by the fastest-spreading network worm ever. Many affected companies -- even those who had applied the patch to fix the problem Slammer exploited -- found out later that the vulnerability was present in dozens of third-party applications programmed to build upon and/or interact with the flawed Microsoft component. I wonder how long it will be until we see a complete list of Windows applications and third-party software that use Windows's WMF rendering engine.

Microsoft's security advisory doesn't really offer any advice about steps customers to take to protect themselves from this threat, other than to urge users to update their anti-virus software and to check out the "safe browsing" tips at Microsoft's Trustworthy Computing page. For a stopgap fix for this vulnerability, check out our most recent post

The Microsoft advisory also is notable for another omission: Whenever someone publicly releases an exploit for a previously unknown flaw in Windows and doesn't alert Microsoft to give the company time to develop a fix for the problem, Microsoft unfailingly uses its public advisories to chastise those individuals for making the Internet a scarier and less secure place. That kind of verbal finger-wagging is absent in this latest Microsoft advisory, suggesting that perhaps Microsoft had been alerted to this threat at some point in the not-too-distant past but could not test and release a patch quick enough.

Another possible explanation is that this problem was reported to Microsoft and that the company attempted to patch it but failed to fully fix the problem. On November 8, Microsoft issued a patch to fix several problems in various Windows graphics rendering engines, including a WMF flaw. But of course, all of this is mere speculation at this point; I'm still waiting to hear back from Microsoft on that question.  Stay tuned.

By Brian Krebs  |  December 29, 2005; 8:42 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Exploit Released for Unpatched Windows Flaw
Next: Sony BMG to Settle Class-Action Lawsuit

Comments

In General Microsoft's answer to their security incompotence has been to proclaim thair auto-patching and updating system "the solution", but with the real expertise moving more to the hands of the spoofers isn't it only a manner of (short term) time before even that system gets spoofed? This would allow someone to simultaneously infect all Windows machines on the planet would it not? Is this not all a house of cards? Isn't the big crash out there lurking?

Posted by: Richard Finkelstein | December 29, 2005 9:38 AM | Report abuse

You can avoid the risk altogether with this approach:

http://geekswithblogs.net/lorint

Posted by: Lorin Thwaits | December 29, 2005 9:51 AM | Report abuse

A couple of points..

Microsoft does list the fix in their security bulletin. This exploit cannot use gif and jpg, it only uses wmf. The method could possibly be used in another exploit that could potentially make use of gifs and jpegs. That's a big difference.
Not giving vendors time to implement fixes is ludicrous. I predict it won't be long before one of these companies gets sued for doing so.

Posted by: Bob Campbell | December 29, 2005 10:47 AM | Report abuse

When are people gonna learn !
Quit using Windoze folks.
Use GNU/Linux which as far as I know in recent times has not had such a plethora of vulnerabilities. Every other month and week we have some vulnerability in the Windoze OS which some nefarious denizens of the net can exploit.

Posted by: K M Ashraf | December 29, 2005 11:57 AM | Report abuse

i love how long it takes things to reach the top from the underground. and when it does its a big shocking surprise exploded by media.

<3 commercialization

Posted by: soes | December 29, 2005 12:46 PM | Report abuse

Just get an Apple and forget the Windows madness.

Posted by: Joseph Finch | December 29, 2005 1:50 PM | Report abuse

I can still browse safely. Get a Mac! You don't need Windows to do anything besides niche stuff (specific CAD software, whatever.)

Posted by: Mac User | December 29, 2005 2:34 PM | Report abuse

This is just one more example of how clueless Micro$oft is about security. They will NEVER get it right. Bill Gate$ should be in JAIL.

Posted by: Jay | December 29, 2005 2:47 PM | Report abuse

You are right, One of these days...
Thanksfuly not ALL of windows computers have autoupdate installed, but if windows auto-update infected everyone we would see the mother of all class action lawsuits. Microsoft couldn`t stay around after that.

Posted by: Anonymous | December 29, 2005 3:26 PM | Report abuse

I didn't know bill gates wrote the whole windows OS by himself. At least, thats what some people posting here seem to think. Why does everyone jump on the microsoft bashing band wagon (the wagon is full of nerds anyway!) Can u imagine if tomorrow, microsoft went bankrupt and that was the end of that? Grow up people. If you've wrote a better operating system, please show it to us, if you haven't, then shutup.

Posted by: Dermot | December 29, 2005 4:14 PM | Report abuse

If nobody used Windows, hacks and exploits would be targeted towards something else. Unix systems are the most hacked systems in the world. It is easy to destroy things (like the earth!)--not so easy to withstand constant attack. OS evangelists (Apple, or Windows, or Linux, or other) are fools (like any religious zealot). Diversity is good. Do you really think Microsoft is weak--and why would you work so hard to create that scenario? Perhaps, the more you attack the stronger they get? Have fun! In the meantime, I think I will spend some quality time outdoors.

Posted by: SurfaceDweller | December 29, 2005 4:33 PM | Report abuse

Bill "Spyware" Gates.

Posted by: wayne lewis | December 29, 2005 5:08 PM | Report abuse

To the allegation that "vendors should be given time" to fix problems their incompetence and oversights cause, this one is already in the wild according to F-Secure (http://www.f-secure.com), in the form of websites for shady banner/popup ad affiliate programs and even shadier "PC tool" sellers...in all cases, the sites apparently just use the exploit to load spyware/adware and "fake" anti-spyware programs that are yet more adware. Since the problem is out there and known, the best solution is to make it even more well-known, so that people at least can be vigilant...

Posted by: Koar | December 29, 2005 5:57 PM | Report abuse

To the allegation that "vendors should be given time" to fix problems their incompetence and oversights cause, this one is already in the wild according to F-Secure (http://www.f-secure.com), in the form of websites for shady banner/popup ad affiliate programs and even shadier "PC tool" sellers...in all cases, the sites apparently just use the exploit to load spyware/adware and "fake" anti-spyware programs that are yet more adware. Since the problem is out there and known, the best solution is to make it even more well-known, so that people at least can be vigilant...

Posted by: Koar | December 29, 2005 5:57 PM | Report abuse

Be advised that the "stop gap" measure to simply...

"regsvr32 /u shimgvw.dll"

...by itself does not work; Nore does deleteing/renaming the dll.

In a short few moments after..."windows system file protection" steps in and "puts it back."

Myself, I don't know how to play nice with system file protection outside the recovery colsole. (delete from dllcache)

...just FYI for anyone thinging of using gorup policy to shut down this dll; don't waste your time.

Posted by: Net Admin | December 29, 2005 7:15 PM | Report abuse

Posted by: anon | December 29, 2005 8:30 PM | Report abuse

oops, sorry, thats the wrong patch.

Posted by: anon | December 29, 2005 8:37 PM | Report abuse

We who criticize Microsoft for their deeply flawed software security (at least those of us who know what we are talking about) don't criticize Microsoft because their software doesn't work, but because they repeatedly have released their products before they are "ready for prime time" and then use their customers as unwitting beta testers, and then when the vulnerabilities are found, it takes them ages to patch their vulnerabilities. The true comparison between Microsoft's and the most popular Unix-based browsers shouldn't be made between "which one is more hackable" but "which one has shown the most responsibility towards patching vulnerabilities once they are found". Using this criterion, Mozilla's open-source products win hands down over Microsoft.

Posted by: Montresor | December 29, 2005 11:14 PM | Report abuse

Good reporting Brian.
Am I wrong in concluding that the vast majority of Windows security exposoures have a common denominator--buffer overflow or unchecked buffer or invalid buffer....
If so, does that mean a Microsoft compiler design defect that facilitates these exploits along the seams of code. If so, we know there must unknown thousands more. An analogy would be building an SR-71 with most joints made of wood.

And whatever happened to the venerable
No-execute (NX), Data Execution Prevention (DEP), and execute disabled bit (XD) counter-measures? Were they just an illusion of vendor marketers?

Posted by: Spyaxe Victim | December 30, 2005 12:22 AM | Report abuse

"And whatever happened to the venerable No-execute (NX), Data Execution Prevention (DEP), and execute disabled bit (XD) counter-measures?"

You can turn DEP on in Windows XP SP2 via the System control panel. In theory it should mean buffer overflows cannot be exploited.

DEP causes some badly written programs to crash (the Nokia phone software crashed here, and I've read that some HP printer drivers also have problems) but you can add problematic programs to an exclusion list (or simply stop using them and demand a fix) while still maintaining security around other programs.

Posted by: Leo Davidson | December 30, 2005 6:33 AM | Report abuse

Two Points:
1) "Good reporting Brian". This is not "reporting", it's a blog that states the authors opinions. There is a huge difference between reporting, journalism and opinions found on blogs.

2)"Since the problem is out there and known, the best solution is to make it even more well-known" This is like letting the world know that a given banks alarm system is broken, and then, as the banks get robbed, pat yourself on the back for performing a public service.

oh and one last thing that probably will mean very little to those leaving comments, but...
I work for a large company doing vendor audits for compliance. When we find security vendors who engage in this kind of practice, they're removed from the companies approved vendor list. It shows an overall disregard for the companies security and a lack of business maturity.

Posted by: Bob Campbell | December 30, 2005 7:38 AM | Report abuse

This damn OS ruined evrything, they cannot even block one Spyware through IE....Fcukk Microsoft.

Posted by: Microsoftuser | December 31, 2005 1:33 AM | Report abuse

It is surely a good point made by R. Finkelstein. Supposing a Microsoft employee (or a cabal) decided to use the Windows update mechanism to attack Windows computers en-masse? If they had the expertise - or even if there were a credible threat that they did - they might be in a position to hold nations to ransom.

On another topic altogether, it certainly is gross incompetence on the part of Microsoft that their system software has these vulnerabilities. The decision to use the primitive programming language C prevents the use of the IA-32's segmentation mechanism. Guess what? That mechanism provides a way to prevent data being executed, and has done since before the 80386 (back in 1987). In addition, almost any other language rather than C (and C++) has the ability to detect and prevent buffer overflow exploits. These are just two examples of a long, long litany of Microsoft's technical incompetence. Of course, all the Unixen suffer from the problems of C as well.

Posted by: Nick Roberts | January 1, 2006 12:54 AM | Report abuse

I don't know who does your email newsletter links (if its software, tell me what product to NEVER buy/use), but at least twice in as many months, the links have been skewed. This past Wednesday:
TechNews.com Daily Report Wednesday, Jan. 11, 2006
...the iPod link open the Unisys article.

Come on! Make the link person click their own work from now on...

Posted by: Me | January 16, 2006 5:08 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company