Windows Metafile Exploit Could Spell Trouble

A new virus that exploits a critical vulnerability in the Windows Metafile Format (WMF) has been released to the wild and is being used by malware  writers.

Security experts discovered the exploit, which affects versions of Microsoft’s  Windows XP and Windows 2003 Web Server. Unlike many of the larger virus threats that have caused a stir in 2005, there isn’t a patch to plug the flaw.

Exploits with no correcting patch or the knowledge needed to prevent the attack are called zero-day exploits and are enough to drive any security administrator crazy. Because there’s no patch for the flaw, workarounds are needed to prevent the spread of the virus on computers.

While the WMF exploit uses an unknown mechanism to crack past a user’s computer, its delivery model is all-too-familiar. The only way, at the time of this report, to get infected with the exploit is to visit a corrupted Web page hosting a .wmf file using Internet Explorer (IE), according to security firm iDefense.

That doesn’t mean the delivery model won’t change, however. The iDefense advisory notes the exploit’s threat will increase dramatically if attackers are able to get the virus to replicate through file shares, e-mail or instant messages.

Officials at Microsoft stated they are investigating the reports of a possible vulnerability and will take the necessary steps to protect its customers after concluding the investigation.

In the meantime, officials suggest customers follow the guidelines at Microsoft’s Protect Your PC Web site; if customers suspect their computer’s been attacked, they recommend users contact their local FBI office or post a complaint on the Internet Fraud Complaint Center Web site.

If you’ve been hit with the virus, you’ll know it. According to the iDefense advisory, PCs will display clear signs of infection — changes to the desktop, infection warnings displayed in the taskbar and degraded system performance.

Ken Dunham, director of iDefense’s rapid response team, said it’s unclear yet what exactly the exploit is trying to accomplish. Discovery in the past 12 hours, he noted, has showed only limited applications such spyware and adware getting installed on the end user’s computer.

“We don’t know if it’s fraud-related or whatever,” he said. “Clearly, they’re being silently and illegally installed, at a minimum, for personal profit and they may also involve fraud or exploitation.”

Dunham said the next week will show whether the WMF exploit will morph into a truly dangerous virus. He predicts the virus will be be very successful in the short- and long-term and become a popular exploit of choice against Windows XP in the coming months.

Whether it becomes as popular as Zotob or the other bots this summer remains to be seen, he said. That depends on whether security experts are able to get a handle on the vulnerability and the information gets out to computer users; The first six days will be critical.

“I think the next week is going be the most telling and the most significant in terms of risk,” Dunham said.

Its popularity and success is predicated entirely on whether Microsoft is able to put out a patch plugging the vulnerability, or devising a workaround in time and whether end users install the patch.

Microsoft is infamous for the delay between discovery and patch for vulnerabilities to its software, though the company has released critical-rated patches outside its monthly “Patch Tuesday” updates if the threat is serious enough.

For the time being, security experts are recommending some quick-fix workarounds to keep PCs safe from the WMF exploit.

Secunia recommends users set their IE security level to high while iDefense recommends administrators lock down WMF files on the gateway when possible. iDefense also recommends browsing in non-privileged mode on an operating system other than Windows XP or Windows Server 2003.