[ISN] Wait for Windows patch opens attack window
isn at c4i.org
Wed Jan 4 06:06:10 EST 2006
By Joris Evers
Staff Writer, CNET News.com
January 3, 2006
A serious flaw in Windows is generating a rising number of
cyberattacks, but Microsoft says it won't deliver a fix until next
That could be too late, security experts said. The vulnerability,
which lies in the way the operating system renders Windows Meta File
images, could infect a PC if the victim simply visits a Web site that
contains a malicious image file. Consumers and businesses face a
serious risk until it's fixed, experts said.
"This vulnerability is rising in popularity among hackers, and it is
simple to exploit," said Sam Curry, a vice president at security
vendor Computer Associates International. "This has to be taken very
seriously, and time is of the essence. A patch coming out as soon as
possible is what the responsible thing to do."
Microsoft has come under fire in the past for the way it releases
security patches. The company has responded in the past by instituting
a monthly patching program, so system administrators could plan for
the updates. Critics contend that in high-urgency cases such as the
WMF flaw, Microsoft should release a fix outside of its monthly
Details on the WMF security problem were publicly reported last week.
Since then, a number of attacks that take advantage of the flaw have
surfaced, including thousands of malicious Web sites, Trojan horses
and at least one instant messaging worm, according to security
More than a million PCs have already been compromised, said Andreas
Marx, an antivirus software specialist at the University of Magdeburg
in Germany. He has found a hidden Web site that shows how many copies
of a program that installs malicious software have been delivered to
Microsoft has said that a patch will not be made available until
Tuesday, its next official patch release day. That delay could provide
an opportunity for attackers, security provider Symantec said on
"There is a potential 7-day window for which attackers could exploit
this issue in a potentially widespread and serious fashion," Symantec
said in a notice sent to subscribers of its DeepSight alert service.
Hackers have been quick to craft tools that make it easy to create
malicious image files that advantage of the flaw, experts said. These
new files can then be used in attacks. The tools themselves can be
downloaded from the Internet.
Many of the attacks today use the unpatched bug to attempt to install
unwanted software, such as spyware and programs that display pop-up
advertising, on Windows PCs. The flaw affects all current versions of
the operating system, and a vulnerable system can be attacked simply
if the user views a specially crafted image, according to a Microsoft
In most cases, the attacks require a user to visit a malicious Web
site, but the schemes are likely to become more sophisticated,
antivirus specialist Marx said.
"I'm sure it's just a matter of days until the first
(self-propagating) WMF worm will appear," he said. "A patch is
Microsoft is urging people to be cautious when surfing the Web. "Users
should take care not to visit unfamiliar or un-trusted Web sites that
could potentially host the malicious code," it said in its advisory.
But most ordinary PC owners simply aren't aware of this type of
threat, said Stacey Quandt, an analyst with the Aberdeen Group. "There
are a lot of Windows users who aren't paranoid enough about never
clicking on an unknown link," she said.
Microsoft has completed a fix for the problem and is currently testing
and localizing the update into 23 languages, the software maker said
in its advisory, updated on Tuesday. "Microsoft's goal is to release
the update on Tuesday, Jan. 10, 2006, as part of its monthly release
of security bulletins," the company said.
To protect Windows users, Microsoft shouldn't wait, but release the
patch now, several critics said.
"The flaw is actively exploited on multiple sites, and antivirus
provides only limited protection," said Johannes Ullrich, the chief
research officer at the SANS Institute. "Active use of an exploit
without sufficient mitigating measures should warrant the early
release of a patch, even a preliminary, not fully tested patch."
Marx agreed. "As the vulnerability is already known, Microsoft should
make this patch available now," he said. System administrators could
do their own testing and then apply the patch, Marx and Ullrich said.
Increasingly sophisticated computer code that exploits the Windows
flaw has been made publicly available, Symantec said. In response, the
security provider raised its ThreatCon global threat index to Level 3.
Microsoft, however, said the threat is limited. "Although the issue is
serious, and malicious attacks are being attempted, Microsoft's
intelligence sources indicate that the scope of the attacks is not
widespread," the software maker said in its advisory.
Calculating potential cost
Whether to issue the fix sooner rather than later has to be a matter
of risk analysis, CA's Curry said. "They have to balance out what the
risk involved with not having a patch for a day or two days is, versus
not testing all scenarios. The only thing they could do worse than
delaying a patch is if they bring out a bad patch," he said.
Part of the problem is that the Microsoft's software is complicated
and vulnerable to unintended side effects of patches, Quandt said. If
the company sends out a fix prematurely, the update could cause bugs
that affect the normal operation of systems, she said.
Attacks designed to exploit WMF flaw range from malicious spam to MSN
Beyond this single instance is what appears to be a wider problem with
WMF files, said John Pescatore, a Gartner analyst. Other flaws related
to WMF have been put right in recent months, he noted.
"I hope Microsoft is going to fix the underlying problem in how WMF
files are handled," he said. "We need a stronger fix, so that we're
not going to see another vulnerability like this one two weeks from
While Microsoft is testing its patch, users can protect themselves
with an unofficial, third-party fix. In an unusual move, some security
experts are even recommending that people apply this solution while
waiting for Microsoft to deliver the official update.
"We carefully checked this patch and are 100 percent sure that it is
not malicious," the SANS Institute's Ullrich said. "The patch is, of
course, not as carefully tested as an official patch. But we feel it
is worth the risk. We know it blocks all exploit attempts we are aware
F-Secure, an antivirus company in Finland, has also tested the fix,
created by Ilfak Guilfanov, a programmer in Europe. "We've tested and
audited it and can recommend it. We're running it on all of our own
Windows machines," said Mikko Hypponen chief research officer at
But Microsoft cautions against Guilfanov's patch. "As a general rule,
it is a best practice to utilize security updates for software
vulnerabilities from the original vendor of the software," Microsoft
At least one user has reported difficulties after installing the fix.
The update can cause network printing problems, according to an e-mail
sent to the Full Disclosure security mailing list.
While some critics have given Microsoft's response to the WMF flaw a
failing grade, the company has also gained some respect for its
handling of the issue.
"Everybody would like to see the patch as soon as possible, but I
can't blame Microsoft for wanting to test it thoroughly," Hypponen
said. "However, if a widespread worm is found before next Tuesday, I
do believe they will break the cycle and just release the patch."
As the official January patch day is only next week, the length of the
wait for the update is fine, Gartner's Pescatore said.
"If we were three weeks, or almost four weeks from the next regular
patch cycle, it might be a different story," he said. "This close,
most enterprises don't want to go through one patch this week and
another next week."
Still, Gartner is urging people to protect themselves while waiting
for Microsoft's fix--by blocking access to known malicious sites, for
example, Pescatore said. Microsoft also offers some workarounds in its
More information about the ISN