The Zero Day exploit of the Windows Metafile bug has racked up six
variants as of Thursday afternoon and has left security analysts
wondering what’s coming next — and how bad it will be.
”This is a significant situation,” says Steve Sundermeier, a vice
president with Central Command, a Medina, Ohio-based anti-virus and
anti-spam company. ”Anytime you have no patch available, it’s a
dangerous situation… We’d rate this as critical.”
The exploit hit the Wild Wednesday morning, infecting fully patched
machines. Three variants quickly followed the initial release with the
other three coming within 24 hours. The vulnerability lies in the way
Windows handles corrupted Windows Metafile (.WMF) graphic files.
It’s being called a Zero Day attack because the exploit code was released
the same day the vulnerability was identified. Sundermeier points out
that the security community hadn’t even known about the bug until the
exploit hit the Wild.
Malicious code on a number of Web sites exploited the vulnerability on
users’ machines. At this point, according to Sundermeier, mass-mailing
emails have not been sent out directing people to the malicious sites.
Users who have been hit have unfortunately stumbled upon the sites.
Dean Turner, senior manager of Symantec’s Security Response, says, as of
this publication, there are 27 malicious Web sites taking advantage of
this bug. ”I would think that we probably will see a lot more since
Microsoft hasn’t provided a patch yet,” says Turner. ”But people are
trying to take advantage of this. They’re not going to let it go. The
numbers and how quickly it will take place is going to be very hard to
predict.”
Turner explains that these Web sites download a malicious WMF file onto
the user’s computer. That file exploits the vulnerability, and then opens
a backdoor and downloads a keylogger. If the user is logged in to her
machine as an administrator, then the attacker could have complete
control of the machine.
Vulnerable operating systems include several Windows Server 2003
editions: Datacenter Edition, Enterprise Edition, Standard Edition and
Web Edition. Windows XP Home Edition also is at risk, along with Windows
XP Professional.
Microsoft has released an advisory, suggesting IT administrators and
users set the email client to read only text, and disable Windows picture
and fax viewer. No patch has been released.
Central Command also is recommending that the malicious sites are blocked
at the gateway. The list of malicious Web sites includes unionseek.com,
iframeurl.biz and tfcco.com.
”The whole trick is for the spammers and virus writers to get something
out into the Wild and doing damage before the security companies can
issue protection,” says Ted Anglace, a senior security analyst at
Sophos, an anti-virus and anti-spam company with U.S. headquarters in
Lynnfield, Mass. ”The Holy Grail for the security companies is to have
technology that blocks these exploits from the very minute they’re
launched.”
But until that happens, IT managers and users are left to quickly throw
up defenses at the drop of hat.
And that’s what makes this a scary situation, according to Sundermeier.
”You’re dealing with the unknown,” he adds. ”One day we’re feeling
good because everything is patched. Everything is ready and as it should
be. And then the next day we have a big problem we didn’t even see
coming. I’m sure there are at least a dozen other Zero Day exploits
waiting to surface.
”I don’t think this is an isolated incident,” says Sundermeier. ”After
Microsoft patches this one, Windows users shouldn’t be fully confidant.”