Windows flaw threatens disaster post-patch

Canadian security experts on Wednesday said users have yet to be hit by attacks based on a Microsoft Windows Meta File vulnerability, but warned the impact could be felt long after IT managers have applied the necessary patch.

Microsoft discovered the flaw, which can be exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, last week. It allows hackers to execute arbitrary code through images in the Windows Meta File (WMF), which means users could be exposed just by looking at an image in an e-mail message. Microsoft has said it will release a patch for the WMF flaw on Jan. 10 as part of its monthly security update.

Reports from the United States indicated the flaw has already been used to create an MSN Messenger worm as well as generate spam e-mail directing users to malicious Web sites. Some sources cite up to 73 kinds of attack.

Mirek Kotisa, a computer security administrator at the University of Toronto, said the school hasn’t received any complaints related to WMF yet, though he noted it has only recently opened since the Christmas holidays.

“We are waiting for someone to say they’ve been hit,” he said. “Because (an attack) can happen in a variety of ways, we don’t really have any simple ways to explain it to most users.”

All the attacks require user interaction which means that what IT managers would consider standard security awareness training for end users still applies, said Brian Bourne, president of Toronto-based CMS Consulting, which specializes in Microsoft software and security issues. Though the media has shown a great deal of interest in the WMF vulnerability, he said most enterprises would likely use a defense-in-depth strategy to stop it at the perimeter.

“The whole thing with zero-day (attacks) is that there’s zero-day everyday,” he said. “By the time someone who follows responsible disclosure practices releases information about a flaw, there’s an underground community that already knows.”

Third Brigade, an Ottawa-based provider of host intrusion prevention systems, became aware of the WMF vulnerability shortly before New Year’s Eve, according to its chief technology officer, Brian O’Higgins. Its customers are automatically sent filters to protect against such flaws, but after receiving a flurry of phone calls he said the company published a security dispatch with more information about it.

“People are concerned, of course, because of the gap for the official patch,” he said. “I don’t want to speak for Microsoft, but they’re probably really reluctant to do something out of that cycle because everyone is prepared for it . . . they’re probably monitoring it very closely and if it turned into a massive issue, they would have to push something out (sooner).”

O’Higgins said that because becoming victim to the flaw is as easy as looking at a picture, it could be possible for hackers to take over a machine, and install a “keyboard sniffer” to obtain passwords. Those kinds of attacks can be much more difficult to detect, he added. 

“We may be hearing of incidents about this month after the patch has been downloaded,” he said.

The WMF vulnerability comes at the same time enterprises are bracing for the next Sober worm attack, which several firms said they expected to hit on Thursday, Jan. 5.

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+