Canadian security experts warned that users could feel the impact of a Microsoft Windows Meta File vulnerability long after IT managers have applied the necessary patch.Microsoft discovered the flaw, which can be exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003. It allows hackers to execute arbitrary code through images in the Windows Meta File (WMF), which means users could be exposed just by looking at an image in an e-mail message. Microsoft released a patch for the WMF flaw in early January.
Reports from the U.S. indicated the flaw has already been used to create an MSN Messenger worm as well as generate spam e-mail directing users to malicious Web sites. Some sources cite up to 73 kinds of attack. Mirek Kotisa, a computer security administrator at the University of Toronto, said the school hadn’t received any complaints related to WMF at press time.
“We are waiting for someone to say they’ve been hit,” he said. “Because (an attack) can happen in a variety of ways, we don’t really have any simple ways to explain it to most users.”
All the attacks require user interaction, which means that what IT managers would consider standard security awareness training for end users still applies, said Brian Bourne, president of Toronto-based CMS Consulting, which specializes in Microsoft software and security issues. Though the media has shown a great deal of interest in the WMF vulnerability, he said most enterprises would likely use a defence-in-depth strategy to stop it at the perimeter.
“The whole thing with zero-day (attacks) is that there’s zero-day everyday,” he said. “By the time someone who follows responsible disclosure practices (and) releases information about a flaw, there’s an underground community that already knows.”
Third Brigade, an Ottawa-based provider of host intrusion prevention systems, said its customers are automatically sent filters to protect against such flaws, but after receiving a flurry of phone calls it published a security dispatch with more information about it.
“People are concerned, of course, because of the gap for the official patch,” he said in an interview before the patch was released. “I don’t want to speak for Microsoft, but they’re probably really reluctant to do something out of that cycle because everyone is prepared for it . . .they’re probably monitoring it very closely and if it turned into a massive issue, they would have to push something out (sooner).”
O’Higgins said that because becoming victim to the flaw is as easy as looking at a picture, it could be possible for hackers to take over a machine, and install a “keyboard sniffer” to obtain passwords.
“We may be hearing of incidents about this month after the patch has been downloaded,” he said.