Windows flaw spawns dozens of attacks

By Dawn Kawamoto, News.com
Posted on ZDNet News: Jan 3, 2006 7:55:00 PM

A flaw in Microsoft's Windows Meta File has spawned dozens of attacks since its discovery last week, security experts warned Tuesday.

The attacks so far have been wide-ranging, the experts said, citing everything from an MSN Messenger worm to spam that attempts to lure people to click on malicious Web sites.

The vulnerability can be easily exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said. Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit, said Mikko Hypponen, chief research officer at F-Secure.

"Right now, the situation is bad, but it could be much worse. The potential for problems is bigger than we have ever seen," Hypponen said. "We estimate 99 percent of computers worldwide are vulnerable to this attack."

The Windows Meta File flaw uses images to execute arbitrary code, according to a security advisory issued by the Internet Storm Center. It can be exploited just by the user viewing a malicious image.

Microsoft plans to release a fix for the WMF vulnerability as part of its monthly security update cycle on Jan. 10, according to the company's security advisory.

"We have seen dozens of different attacks using this vulnerability since Dec. 27," Hypponen said. "One exploits image files and tries to get users to click on them; another is an MSN Messenger worm that will send the worm to people on your buddy list, and we have seen several spam attacks."

He added that some of the spam attacks have been targeted to select groups, such as one that purports to come from the U.S. Department of State. The malicious e-mail tries to lure the user to open a map attachment and will then download a Trojan horse. The exploit will open a backdoor on the user's system and allow sensitive files to be viewed.

The WMF flaw has already resulted in attacks such as the Exploit-WMF Trojan, which made the rounds last week.

Although Microsoft has not yet released a patch, security vendors such as F-Secure and the Internet Storm Center are noting Ilfak Guilfanov, a Russian security engineer, has released an unofficial fix that has been found to work.

"Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system," F-Secure noted in its daily security blog. "All pictures and thumbnails continue to work normally."

Security companies also are advising computer users to unregister the related "shimgvw.dll" portion of the Windows platform. Unregistering the dll, however, may also disable certain Windows functions and has not been thoroughly tested, according to a security advisory issued by Secunia.

Despite the potential for a large number of computer users to be affected by exploits related to this vulnerability, Hypponen said the chances of a widespread outbreak from a virus, as people return to work from the long holiday, are unlikely.

"We are still far away from a massive virus," he said. "Most people get attacked by this if they (search for something on the Internet) and get a million results. They may click on a link that goes to a malicious Web site or one that has been hacked, and then get infected."

SponsoredWhite Papers, Webcasts, and Downloads

Talkback
Most Recent of 102 Talkback(s)

Thread View
Flat View

Re: Any proof or examples: Yah, I heard that it happened to the friend of someone who know's the dentist of my cousin's auto mechanic.... (Read the rest); Posted by: speedracerxtreme Posted on: 01/06/06 You are currently: Logged In | Log out

Windows flaw spawns dozens of attacks Loverock Davidson | 01/03/06

Overhyped probably... csa0307 | 01/03/06

User mistake? spdrcrtob | 01/03/06

Remains to be seen MillenneumMan | 01/03/06

Yet more remains in view?? DNSB | 01/03/06

Protected By A Peguin IceTheNet@... | 01/03/06

Nothing to worry about????? tombalablomba | 01/03/06

WMF 0-day vulnerability is not a bug, it's a feature Sgt. Pinback | 01/03/06

Scare tactic? RazorEdge | 01/03/06

Perhaps you are right, but... don@... | 01/03/06

good Idea but how long till that is exploited IceTheNet@... | 01/03/06

youre no mike cox. linuxoverwindows | 01/03/06

true we will give him a 3 IceTheNet@... | 01/03/06

I'm not sure if this is accurate or verified... Yen_z | 01/03/06

Overhyping? Smallest of things? Hugh Jass | 01/03/06

hmmmmmm... nix_os_fan | 01/04/06

This exploit been around since 2001... cburgess | 01/04/06

Is there a patch yet? el1jones | 01/03/06

On the 10th Loverock Davidson | 01/03/06

don't wait for the official MS patch Sgt. Pinback | 01/03/06

and another place to get the fix: linuxoverwindows | 01/03/06

Not really.... Leria | 01/03/06

Interesting tombalablomba | 01/04/06

Whew Chad_z | 01/04/06

You are a prize prat! Please go back to your cave! GetReal-mac.com | 01/04/06

yes it is called the mepis fix IceTheNet@... | 01/03/06

Patch coming out when???? spinit_z | 01/03/06

wait for it... wait for iiiiit... linuxoverwindows | 01/03/06

Yes! It will!!! Yen_z | 01/03/06

Flaw is overrated... Mike Cox | 01/03/06

Re: Flaw is overrated... richdave | 01/03/06

flaw is overrated? pablito@... | 01/03/06

Forget the plane, XP is thus not reliable enough for a car eric.pederson@... | 01/03/06

Flaw is overrated... Ballzo | 01/03/06

.. hook ... line .... sinker

(NT) rick752 | 01/03/06

Hook line and sinker GWIII | 01/04/06

I agree but the flaw is windows IceTheNet@... | 01/03/06

How would you like these dressed...... Quiet_Type | 01/03/06

A new year and shallow_diver | 01/04/06

10! s_gamgee | 01/04/06

Nice catch! jguyp725@... | 01/04/06

Accuracy we expect from ZDNet... gfeier | 01/03/06

It was a quote! (NT) 3D0G | 01/03/06

Precisely! gfeier | 01/03/06

Maybe we should start voting on ZDnet articles instead of Mike Cox IceTheNet@... | 01/03/06

ZDNet not at fault! TapDunk | 01/04/06

Microsoft Testing Rebate rusynr@... | 01/03/06

Rebate MarkieMark | 01/04/06

unofficial patch is available, and highly recommended Sgt. Pinback | 01/03/06

neither link works? riix | 01/04/06

Think Defensively Mr. Roboto | 01/03/06

Think Different mchupa | 01/03/06

FW and AV is not enough... cburgess | 01/04/06

oh great, we have to wait for the patch? CobraA1 | 01/03/06

And if MS quickly issued a bad patch... hberenson | 01/03/06

You completely missed the point CobraA1 | 01/04/06

Windows Flaw <Yawn> benf_z | 01/03/06

Ignorant? eric.pederson@... | 01/03/06

Very astute observation! MacGeek2121 | 01/03/06

I've know this guy... Yen_z | 01/03/06

I know this guy... Yen_z | 01/03/06

Firefox gives some protection Greenknight_z | 01/03/06

Plans to release? Richard Flude | 01/03/06

A perfect Example grandis@... | 01/03/06

Somebody should send those nice Boot_Agnostic | 01/03/06

And then... Hugh Jass | 01/03/06

I'm waiting for them to explore the many RAW formats Boot_Agnostic | 01/04/06

How is that possible? Richard Flude | 01/03/06

Why not draconian? zdnet@... | 01/03/06

Well f**king said. A_Pickle | 01/03/06

They've already had their credit history stolen Leria | 01/03/06

Not that easy... cburgess | 01/04/06

I think it is time we punish the companies Littlebear | 01/03/06

No platform is immune, but the QUALITY of the platform makes a difference. HypnoToad | 01/03/06

What inherent security? Leria | 01/03/06

Don't make it bigger than it is rcb_z | 01/03/06

My ISP and me trm1945 | 01/03/06

You should have told your ISP where it was coming from Leria | 01/03/06

The way to protect yourself in the mean time! Raymonde | 01/03/06

Windows flaw again ... flavio.becker | 01/04/06

Already protected without MS's help Mr. Roboto | 01/04/06

AntiVir caught it already doctordawg | 01/04/06

Microsoft writes the viruses Kid Icarus | 01/04/06

I've actually thought it was the AV companies Boot_Agnostic | 01/04/06

p. c. worm attacks wknaack@... | 01/04/06

Don't surf with Windows Chad_z | 01/04/06

4th option NonZealot | 01/04/06

u've been lucky trickettm@... | 01/04/06

Don't Blame the O/S Bee Jay | 01/04/06

Patch or No Patch Kid Icarus | 01/04/06

Patch - MS Jafrh | 01/04/06

Try something new.... pkrdk | 01/04/06

Any proof or examples pkrdk | 01/04/06

Re: Any proof or examples speedracerxtreme | 01/06/06

the new flaw in windows thetrader13 | 01/04/06

Think about it half@... | 01/04/06

Exploit WMF attacks DarkSpectre | 01/04/06

We're WAY overdue for being proactively draconian toward hackers zdnet@... | 01/04/06

Nice Rant... cburgess | 01/04/06

Windows flaw jrs161@... | 01/04/06

many spanwaners made me change address optionwizz | 01/04/06

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SponsoredWhite Papers, Webcasts, and Downloads

Sports and Technology
Major League Baseball pitches new app to iPhone users At Apple's Worldwide Developers Conference in San Francisco, Jeremy Schoenherr of MLB.com demos At-Bat, a new iPhone app from Major League Baseball.
View the ZDNet video to learn more
The SF Giants' new hi-tech ballpark SF Giants CIO Bill Schlough discusses new technology upgrades at AT&T Park and outlines his dual role- managing technology operations at the backend while using hi-tech to improve player performance on the field.
View the ZDNet CIO Vision Series video
From our Sponsors
Fantasy Football
3 Great Ways To Play Fantasy Football Play for free, play to win cash prizes- up to $3500, or customize your own league.
Learn More »

Windows flaw spawns dozens of attacks

SponsoredWhite Papers, Webcasts, and Downloads

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SponsoredWhite Papers, Webcasts, and Downloads

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More

ZDNet News & Blogs

Product Reviews

Product Blogs

White Papers & Webcasts

Downloads