Attackers Exploit New Zero-Day Windows Bug

The bug is in Windows' rendering of Windows Metafile (WMF) images, a component that's been patched three times in the last two years, most recently in November by the bulletin MS05-053. The newest flaw, however, is different enough from November's that fully-patched Windows XP SP2 and Windows Server 2003 machines can be compromised.

"This exploit is doing something a bit different," said Shane Coursen, a senior technical analyst with Moscow-based Kaspersky Labs. "It looks like it affects the same DLL as MS05-053, but it's not overflowing the buffer." According to Microsoft's MS05-053 bulletin, the November vulnerability was in an unchecked buffer.

Microsoft would only acknowledge that it's looking into the problem, the usual response from the Redmond, Wash.-based developer to news of zero-day exploits of its software.

"Microsoft is investigating new public reports of a possible vulnerability in Windows and will continue to investigate the public reports to help provide additional guidance for customers," said a Microsoft spokesperson. "Upon completion of this investigation, Microsoft will take the appropriate action, which may include providing a fix through our monthly release process or issuing a security advisory, depending on customer needs."

Security and vulnerability tracking companies' reactions were more dramatic: they immediately raised alert levels, both because the flaw was an unpatched "zero-day" bug, and also because exploits were already out and about. Danish security company Secunia, for instance, tagged the new flaw as "Extremely critical," its highest warning; Symantec, meanwhile, gave it a rating of 9.4 on its 10-point scale for vulnerability alerts.

Multiple Web sites, said Ken Dunham, the director of Reston, Va.-based iDefense's rapid response team, are using a working exploit to compromise Windows machines. Attackers need only to cajole users into visiting sites planted with malicious WMF files, or get them to open such image files sent as e-mail attachments.

"WMF exploitation has taken off in the past twelve hours," said Dunham. "It's likely that WMF exploitation will be very successful in the near term."

By default, Internet Explorer automatically opens the vulnerable Windows Picture and Fax Viewer application to display WMF files, making that browser the riskiest to use. But it's not the only threatened browser: Mozilla Corp.'s Firefox, for instance, defaults to the same application, as does Opera, although users must acknowledge a dialog box before opening the image.

The current exploit lets attackers download additional software to a vulnerable Windows PC, including, said Symantec in an alert to its DeepSight Threat Management System customers, a keylogger and an IRC-based remote administration tool that can be used to take complete control of the computer. At least one noted spyware site with a .biz domain, added San Diego-based security vendor Websense, is using the exploit to drop other spyware and adware code onto machines.

"Once someone has compromised a PC [with a remote administration tool], the sky's the limit," said Kaspersky's Coursen.

Although Coursen characterized the threat as one "we need to pay attention to," he said that until or unless it becomes automated -- in other words, packaged as a worm that doesn't require users to visit a malicious site -- doomsday pronouncements are uncalled for.

Late Tuesday morning, in fact, a workaround surfaced that disabled Windows Picture and Fax Viewer, breaking the link between exploit and compromise.

iDefense's Dunham confirmed that the workaround takes care of the WMF problem, but warned that other file formats, such as EMF, might be found to be just as vulnerable once a thorough investigation's complete. (In October, 2004, Microsoft patched a bug in WMF and EMF (Enhanced Metafile) image rendering; Dunham cited EMF as a possible alternate vulnerable file format.)

To disable Windows Picture and Fax Viewer, users should click on the Start menu, select Run, then enter "regsvr32 /u shimgvw.dll" and click OK.

Some anti-virus vendors have protections already in place against the exploit. Kaspersky, for example, recognizes and stops the downloader used by the malicious sites to drop code on vulnerable machines, while McAfee and Symantec have already released updates that detect the current crop of attacks.

For now, the practical threat seems to be minor, but the potential for damage is much greater.

"The threat level for this vulnerability may be dramatically increased if more automated methods of distribution are found to be successful, such as e-mail or IM or file shares," said Dunham. "The impact of attacks may also increase, with more sinister codes being installed as new hackers attempt to leverage the vulnerability to their advantage."