|
|
 |
 |
Windows Operating Systems Under Attack! For more than a week, hackers have been exploiting a flaw in a type of Windows graphics files, known as WMF, or Windows Meta File. A Windows Metafile (WMF) image is a 16-bit metafile format that can contain both vector information and bitmap information. The problem affects Windows 98, ME, Windows 2000, Server 2003 and Windows XP. What's especially dangerous about the attacks: Your computer could be infected with viruses, spyware or other malicious programs just by viewing a Web page, an e-mail, or an Instant Message that has one of these contaminated images. The flaw could be exploited using a specially crafted Windows Metafile (.wmf) file to gain full control of the target computer. The vulnerability was discovered right after December 25. "Nobody knew it was coming. There was no security intervention or mitigation for it," said security expert Rick Howard of Counterpane Internet Security.
Unlike infamous computer worms and viruses like Blaster, Code Red or I Love You, the WMF attack is not spreading like wildfire across the Internet. But there are already many variations of the attack; the virus creates a slightly different version of itself each time it replicates. Each iteration is of random size, can use non-wmf file formats and employs other tricks to look like something different.
Traditionally, antivirus software works by matching a particular 'signature' of a suspect file against a database of known malware. By mutating, the new virus makes it that much harder. According to the Sans Internet Storm Center, "it will likely be difficult to develop very effective signatures (to identify the mutating virus) due to the structure of the WMF files."
Of even more concern from Microsoft's point of view, is that the exploit, along with source code, has been developed and made available on the internet. Most security investigators first make their findings available to the vendor affected to allow it time to fix the problem before publishing details on the Internet where it can be picked up and used by hackers.
Most fit the patterns of recent attacks. They are not designed to earn bragging rights for a brash programmer, but instead, likely tied to theft, fraud and organized crime. Some of the exploits so far identified are designed to steal passwords. Others install computer code that turns computers into zombies, which can then be controlled remotely to spew spam and viruses.
According to Luis Corrons at Panda Software, "This is one of the most serious vulnerabilities recently detected. Simply visiting a web page with a file created to exploit this security problem could see a computer infected by any type of malicious code."
Users can find the newly released patch at Microsoft's Download Center, or Microsoft Update at http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx. Those who use Windows' Automatic Updates will have the patch automatically delivered to their computer.
- Internet Explorer is a common attack vector for this vulnerability. This is because in its default configuration, Internet Explorer can automatically launch the Windows Picture and Fax Viewer as the result of viewing a web page. Google Desktop Search (GDS) can also trigger the buffer overflow vulnerability if a malicious WMF file is placed in a location that is indexed. Other content indexing software may also be vulnerable. It is reported that various anti-virus software products cannot detect all known variants of exploits for this vulnerability.
- An important Note about A-V signatures: As useful as anti-virus protection is as a first line of defense, new WMF exploits are succeeding at bypassing them. So A-V cannot be relied upon.
- All versions of Windows from Windows 98 through ME, NT, 2000, XP, and 2003 are known to be vulnerable, and a large and rapidly growing number of malicious exploits (57 at last count) are already circulating in the wild. They are being actively used to install malware and Trojans into user's machines. Viruses and worms are expected to appear shortly.
- Do not open any "WMF"- Windows Metafiles - you receive by eMail, and reports are that other file types may also be dangerous.
- Anti-virus companies have responded to this, so update your anti-virus signature files for updated protection.
- You can get infected if you visit a web site that has an image file containing the exploit. Internet Explorer users might automatically get infected.
To check if your computer is vulnerable, click here.
For more information on Protecting your organization with the benefits of Cisco Security Agent and how Covetrix can provide you with the agent or any of the other CiscoWorks VPN/Security Management Solutions (VMS), check out Covetrix and CSA. |
|
|
|
|
