Hackers Exploiting Zero Day Windows Flaw

The Zero Day exploit of the Windows Metafile bug has racked up six

variants as of Thursday afternoon and has left security analysts

wondering what’s coming next — and how bad it will be.

”This is a significant situation,” says Steve Sundermeier, a vice

president with Central Command, a Medina, Ohio-based anti-virus and

anti-spam company. ”Anytime you have no patch available, it’s a

dangerous situation… We’d rate this as critical.”

The exploit hit the Wild Wednesday morning, infecting fully patched

machines. Three variants quickly followed the initial release with the

other three coming within 24 hours. The vulnerability lies in the way

Windows handles corrupted Windows Metafile (.WMF) graphic files.

It’s being called a Zero Day attack because the exploit code was released

the same day the vulnerability was identified. Sundermeier points out

that the security community hadn’t even known about the bug until the

exploit hit the Wild.

Malicious code on a number of Web sites exploited the vulnerability on

users’ machines. At this point, according to Sundermeier, mass-mailing

emails have not been sent out directing people to the malicious sites.

Users who have been hit have unfortunately stumbled upon the sites.

Dean Turner, senior manager of Symantec’s Security Response, says, as of

this publication, there are 27 malicious Web sites taking advantage of

this bug. ”I would think that we probably will see a lot more since

Microsoft hasn’t provided a patch yet,” says Turner. ”But people are

trying to take advantage of this. They’re not going to let it go. The

numbers and how quickly it will take place is going to be very hard to

predict.”

Turner explains that these Web sites download a malicious WMF file onto

the user’s computer. That file exploits the vulnerability, and then opens

a backdoor and downloads a keylogger. If the user is logged in to her

machine as an administrator, then the attacker could have complete

control of the machine.

Vulnerable operating systems include several Windows Server 2003

editions: Datacenter Edition, Enterprise Edition, Standard Edition and

Web Edition. Windows XP Home Edition also is at risk, along with Windows

XP Professional.

Microsoft has released an advisory, suggesting IT administrators and

users set the email client to read only text, and disable Windows picture

and fax viewer. No patch has been released.

Central Command also is recommending that the malicious sites are blocked

at the gateway. The list of malicious Web sites includes unionseek.com,
iframeurl.biz and tfcco.com.

”The whole trick is for the spammers and virus writers to get something

out into the Wild and doing damage before the security companies can

issue protection,” says Ted Anglace, a senior security analyst at

Sophos, an anti-virus and anti-spam company with U.S. headquarters in

Lynnfield, Mass. ”The Holy Grail for the security companies is to have

technology that blocks these exploits from the very minute they’re

launched.”

But until that happens, IT managers and users are left to quickly throw

up defenses at the drop of hat.

And that’s what makes this a scary situation, according to Sundermeier.

”You’re dealing with the unknown,” he adds. ”One day we’re feeling

good because everything is patched. Everything is ready and as it should

be. And then the next day we have a big problem we didn’t even see

coming. I’m sure there are at least a dozen other Zero Day exploits

waiting to surface.

”I don’t think this is an isolated incident,” says Sundermeier. ”After

Microsoft patches this one, Windows users shouldn’t be fully confidant.”

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web