Microsoft Plans To Patch Zero-Day Windows Bug
"Microsoft has completed development of the security update for the vulnerability," a company spokesperson wrote TechWeb in an e-mail. "The security update is now being localized and tested to ensure quality and application compatibility."
She stopped short of promising a patch, however, adding "This release is predicated on successful completion of quality testing."
The move is just the latest in the week-long story of a new vulnerability uncovered in Windows' rendering of WMF (Windows Metafile) images, and an increasingly long list of both exploits and Web sites using these exploits to hack into PCs. As far as some researchers are concerned, Microsoft's promise is overdue.
On Tuesday, the SANS Institute's Internet Storm Center (ISC) recommended that users not wait for Microsoft's fix, but unregister a vulnerable DLL and apply an "unofficial" patch created by a third-party researcher.
The patch, which can be downloaded from here, has been tested by the ISC, which confirmed that it blocks all known versions of the exploit now circulating as source code. The patch, added Johannes Ullrich, chief research officer of the ISC, should work on Windows XP (SP1/SP2) and Windows 2000 machines.
"This should allow Windows programs to display WMF files normally while still blocking the exploit," Ullrich wrote on the ISC blog.
(Details on how to unregister the DLL, and other protective measures, can be found in this TechWeb story.)
It's important to move fast, added other security professionals. "There are three reasons why the potential impact is big," said Dan Hubbard, senior director of security and research at San Diego-based Websense.
"The most obvious is that there's no patch available. Second, it's spread across multiple versions of Windows. And third, there are kits out there that make it easy to create your own exploit."
Those kits, he conjectured, are one of the reasons for the quick increase in the number of exploits that leverage the WMF vulnerability. Since Friday, WMF-based exploits have appeared as instant message (IM) worms, in new bot formats (including the ubiquitous Sdbot), and tucked inside Trojan horses that are spread with traditional spam e-mail campaigns.
"Although the ability [of these exploits] to spread is mitigated by the fact that they're all Web based so far, the potential for a more widespread attack is there," added Hubbard. Shane Coursen, a senior technical analyst with Moscow-based Kaspersky Labs, agreed. "It'll be very dangerous if this gets packaged in an automated worm."
Sites using WMF exploits are on the rise, Websense's Hubbard said, and include not only URLs specifically set up for attacks, but compromised legitimate Web sites. Simply visiting those sites -- as opposed to being enticed to attack sites -- results in infection. As proof, Websense posted screenshots of several hacked sites hosted from the U.S., Russia, the Netherlands, the U.K,. China, and Japan. "There have been lots of sites hacked into," said Hubbard.
Although Microsoft acknowledged the seriousness of the vulnerability in an updated advisory, it took the tack opposite Hubbard and Coursen, and discounted the danger. "The scope of the attacks is limited. In addition, attacks exploiting the WMF vulnerability are being effectively mitigated by anti-virus companies with up-to-date signatures.
"Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability," it maintained.
Hubbard, however, said that the most important thing about the WMF vulnerability isn't danger level, but how it's been exploited.
"This is the first time I know of that a 'grayware' company has not just used a vulnerability, but actually discovered it," he said, referring to the original rash of exploits launched by adware and spyware vendors.
"Previously, grayware vendors haven't been the discoverers of vulnerabilities, they've only been the users of them," Hubbard went on. "This show they're getting even more sophisticated, through people doing this [hacking] for a living."