RealTime IT News

Hackers Exploiting Zero Day Windows Flaw

The Zero Day exploit of the Windows Metafile bug has racked up six variants as of Thursday afternoon and has left security analysts wondering what's coming next -- and how bad it will be.

''This is a significant situation,'' says Steve Sundermeier, a vice president with Central Command, a Medina, Ohio-based anti-virus and anti-spam company. ''Anytime you have no patch available, it's a dangerous situation... We'd rate this as critical.''

The exploit hit the Wild Wednesday morning, infecting fully patched machines. Three variants quickly followed the initial release with the other three coming within 24 hours. The vulnerability lies in the way Windows handles corrupted Windows Metafile (.WMF) graphic files.

It's being called a Zero Day attack because the exploit code was released the same day the vulnerability was identified. Sundermeier points out that the security community hadn't even known about the bug until the exploit hit the Wild.

Malicious code on a number of Web sites exploited the vulnerability on users' machines. At this point, according to Sundermeier, mass-mailing emails have not been sent out directing people to the malicious sites. Users who have been hit have unfortunately stumbled upon the sites.

Dean Turner, senior manager of Symantec's Security Response, says, as of this publication, there are 27 malicious Web sites taking advantage of this bug. ''I would think that we probably will see a lot more since Microsoft hasn't provided a patch yet,'' says Turner. ''But people are trying to take advantage of this. They're not going to let it go. The numbers and how quickly it will take place is going to be very hard to predict.''

Turner explains that these Web sites download a malicious WMF file onto the user's computer. That file exploits the vulnerability, and then opens a backdoor and downloads a keylogger. If the user is logged in to her machine as an administrator, then the attacker could have complete control of the machine.

Vulnerable operating systems include several Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition. Windows XP Home Edition also is at risk, along with Windows XP Professional.

Microsoft has released an advisory, suggesting IT administrators and users set the email client to read only text, and disable Windows picture and fax viewer. No patch has been released.

Central Command also is recommending that the malicious sites are blocked at the gateway. The list of malicious Web sites includes unionseek.com, iframeurl.biz and tfcco.com.

''The whole trick is for the spammers and virus writers to get something out into the Wild and doing damage before the security companies can issue protection,'' says Ted Anglace, a senior security analyst at Sophos, an anti-virus and anti-spam company with U.S. headquarters in Lynnfield, Mass. ''The Holy Grail for the security companies is to have technology that blocks these exploits from the very minute they're launched.''

But until that happens, IT managers and users are left to quickly throw up defenses at the drop of hat.

And that's what makes this a scary situation, according to Sundermeier.

''You're dealing with the unknown,'' he adds. ''One day we're feeling good because everything is patched. Everything is ready and as it should be. And then the next day we have a big problem we didn't even see coming. I'm sure there are at least a dozen other Zero Day exploits waiting to surface.

''I don't think this is an isolated incident,'' says Sundermeier. ''After Microsoft patches this one, Windows users shouldn't be fully confidant.''