Windows 0-Day Exploit Helped by Open Source?

Even before many security firms and even Microsoft issued advisories for the recent zero day Windows Metafile exploit, the open source Metasploit tool was allowing users to make hay with the vulnerability.

So is Metasploit helping to spread the zero day outbreak, or is it helping security professionals to protect against it? The answer depends.

As reported Wednesday, Windows users are currently at risk from a critical vulnerability in the Windows Metafile Format (WMF) for which there is currently no patch.

The virus exploits a critical vulnerability in the Windows Metafile Format (WMF), and is impacting versions of Microsoft’s Windows XP and Windows 2003 Web Server.

Because there’s no patch for the flaw, workarounds are needed to prevent the spread of the virus on computers. According to security firm iDefense, attacks require that Internet Explorer browser users visit a Web site with malicious code in order for an attack to be launched. The exploit targets how IE handles pictures. The malicious sites would hosting a .wmf file.

By Thursday afternoon there were already numerous variants of the original exploit in circulation and at least 27 malicious Web sites attempting to infect users.

Microsoft had no new information beyond the Security Advisory it issued Wednesday. No new patch for the patch vulnerability was issued by presstime Friday.

Reports of the zero day exploit first began to gain momentum on Wednesday morning, but late Tuesday the exploit was already included in the open source Metasploit Framework. Licensed under the GPL , Metasploit is “an advanced open-source platform for developing, testing, and using exploit code,” according to its Web site.

Essentially what Metasploit does is enable users to “test” exploits with relative point and click ease. Metasploit Framework version 2.5 was released in October of this year and version 3.0 is in active development.

Metasploit Framework security researcher H.D. Moore is not of the opinion that his tool has helped to make the Windows Metafile zero day exploit more widespread to any significant degree.

“Obviously, the bad guys already know how to abuse this flaw, otherwise it wouldn’t have 50+ variants,” Moore told in an e-mail interview.

Panda Software CTO, Patrick Hinojosa, said Metasploit has made the exploit easier to spread though he did acknowledge, as Metasploit’s site notes, that the exploit was already “in the wild” before it was included in the framework.

“I cannot say for certain if they have helped to spread it as the source was already available,” Hinojosa told “I do not think it is prudent to post the code module at least until there is a fix, so as not make it too easy to exploit.”

The inclusion of the exploit in Metasploit does have some degree of impact on the overall threat though, according to another security professional. Ken Dunham, director of the Rapid Response Team at security firm iDefense, explained that the Metasploit project makes it easy for people to quickly understand and work with an exploit.

“This type of project does impact exploitation activity in the wild and is a notable factor in assessing evolving risk for exploitation of a vulnerability,” Dunham said.

Still, Metasploit’s Moore argues that the framework allows users to test their systems for vulnerability in a safe manner.

“The exploit was added to the Metasploit Framework for the purpose of allowing people to test their own systems without actually triggering the spyware installation,” Moore said. “Having a ‘safe’ exploit for a flaw like this allows IDS vendors, security professionals, and administrators to develop and test defenses against the flaw.”

Moore also notes that Metasploit could well be used as part of the solution to develop a patch.

“The Metasploit Framework allows the user to supply a custom payload for any included exploit code,” Moore explained. “This can be used to automatically patch vulnerable systems as they are exploited.”

Though Metasploit is obviously intended as a defensive tool, Moore does acknowledge that it can be used by malicious users as well.

“We realize that an attacker could use the Framework exploit to gain unauthorized access, obtain sensitive files, or install a backdoor, but that goes with the territory of releasing public exploits in the first place,” Moore said.

News Around the Web