It’s not exactly a happy new year for millions of PC users exposed to a Microsoft Windows flaw that leaves the door wide open for hackers, Trojans, worms, spyware and other malicious attacks.
F-Secure first reported the zero-day vulnerability on Dec. 27. Microsoft does not plan to issue a patch until Jan. 10. In the meantime, virus writers could have a field day with the vulnerability, according to security experts.
The vulnerability is related to Windows’ WMF files. Windows metafiles are image files used by popular applications, such as Microsoft Word. So far WMF exploits typically have been used to install spyware and adware, although the threat of virus and worm exploits remains.
Viruses Coming
“So far, we’ve only seen this exploit being used to install spyware — or fake antispyware and antivirus software — on the affected machines,” F-Secure Chief Research Officer Mikko Hypponen said. “I’m afraid we’ll see real viruses using this soon. We’ve seen 70 different versions of malicious WMF files so far.”
The WMF exploit has been used with a clear criminal motivation to install spyware and to dupe ordinary consumers into purchasing fake security products for their computers, Hypponen pointed out.
Users can be infected simply by visiting a Web site with an image file containing the WMF exploit. Internet Explorer users are at the greatest risk of automatic infection, while Firefox and Opera browser users are prompted with a question whether they’d like to open the WMF image or not. They get infected too if they answer “Yes.”
Microsoft’s Response
Microsoft and CERT.ORG issued bulletins on the Windows Metafile vulnerability and also announced a workaround, while Microsoft is creating a patch.
The vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003, Microsoft confirmed. This means there are hundreds of millions of vulnerable computers at the moment.
“We are working closely with our antivirus partners and aiding law enforcement in its investigation,” Microsoft said in a security bulletin on its Web site.
Unsuspecting PC Users
Consumers are starting to report spyware problems and performance issues without realizing they are related to the zero-day attack, said Ken Dunham, senior engineer at threat intelligence firm iDefense.
In many situations, consumers have partially removed code, but they do not have a full understanding of how much data is compromised, and they do not realize that malicious code is likely still functional on their computer, Dunham told TechNewsWorld.
“Current WMF activity has already risen to levels similar to that of the emerging zero-day attacks against Internet Explorer in the fall of 2003,” he noted. “In that situation, attacks skyrocketed over a one-month period, which is highly likely for the existing WMF attacks in early 2006.”
WMF exploitation started the year with a bang and a pop that clearly wins the title as the first significant malcode threat of 2006, Dunham said, and it will likely become a long-term persistent threat utilized by Trojan and bot hackers throughout 2006.