Computerworld - IT staffers this week have been working to fend off attacks related to the recently disclosed Windows Metafile (WMF) vulnerability. Although third-party patches are available, Microsoft Corp. doesn't plan to release its official fix for the flaw until next Tuesday (Editor's note: After this article was posted, Microsoft moved up the release date. See Update: Microsoft releasing WMF patch today.) Computerworld Security channel editor Angela Gunn has put together an extensive FAQ on the vulnerability, how it works, what systems are affected and what you can do about it.
The Problem
What's the fuss about? A major security hole involving WMF files. Exploits targeting the hole can use WMF files to run malicious code on a target machine -- infecting it with spyware, stealing data or recruiting it into a zombie network. The problem has existed for years, but its discovery was publicly announced in late December 2005.
Which versions of Windows are vulnerable? Microsoft stated that the vulnerability applies to all versions of Windows from 98 onward, though, practically speaking, only XP and Server 2003 installations are likely to have problems. Secunia confirmed the following systems to be at risk: Microsoft XP Pro, Microsoft XP Home, Microsoft Windows Server 2003 Datacenter Edition, Microsoft Windows Server 2003 Enterprise Edition and Microsoft Windows Server 2003 Standard Edition.
Are Mac, Linux or Unix systems vulnerable? Very funny. Next: The Situation
The Situation
Is any real-world malware targeting this hole? Like rust, exploit writers never sleep, or even slow down enough to be counted. As of yesterday, 73 known exploits had been noted on the CastleCops.com discussion board, and antivirus firm Sophos reported over 200 attack methods thus far.
How are the exploits traveling? Infection vectors will be familiar to anyone who follows the malware scene: graphics or executables opened from within e-mail or instant messages, malicious or compromised sites, fake e-cards, fake system messages and the like. Antivirus firms have discovered instances of a stand-alone utility called WMFMaker that quickly constructs a malicious WMF. That program is believed to have been used in the first wave of exploits.
What's the launch sequence? When a user clicks on a WMF file, the application calls the shimgvw.dll library, which in turn can call the Escape() function in the gdi32.dll library. Escape() has a subfunction called SETABORTPROC, which lets users cancel a print job during spooling from within various applications. The exploit targets SETABORTPROC. It causes a buffer overflow and thus allows the targeted computer to run malicious code in the WMF file, whatever it
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
