New Zero-Day Exploit Threatens XP Users
- By Michael Desmond
- December 29, 2005
For years, one of the most troubling trends in the security industry has been the ever-shrinking "time to exploit." That is, the time between the discovery of a system vulnerability and the emergence of malware exploiting that vulnerability. Ultimately, the trend ends with zero-day exploits, which tap previously unreported vulnerabilities and leave vendors and security firms with no time to respond.
Security experts at F-Secure reported on Tuesday just such an exploit. The WMF zero-day exploit exposes vulnerabilities in the Windows graphics handling engine to enable malware to take control of PCs running fully patched Windows XP SP2. Right now, any user that so much as glances at an infected Windows Meta File (WMF) formatted graphic using the default Windows Picture and Fax viewer software will end up deeply compromised.
Johannes Ullrich, CTO of the SAN Institute Internet Storm Center , characterizes the threat at severe. "It's very serious, I would think, because all you need to do is visit a Web page that contains that image and it can hit you," he says. "It's tough -- there's not much you can do."
Ullrich says the exploit is currently being used by various Trojan downloaders to install spyware and adware onto PCs. He notes that at least one hoax anti-virus program -- reported by F-Secure to be Avgold -- is being installed onto systems using this exploit as well.
Right now, there is no Windows patch or other surefire resolution to this threat. And because Internet Explorer by default displays Web-hosted WMF files, even casual browsing can pose a threat. An alternative browser like Opera or Firefox can offer some protection.
"Really the problem is in the viewer, not in Internet Explorer or Firefox. However, in Firefox it will prompt you if you really want to see the [WMF] file. There is an extra layer of protection there," Ullrich adds.
Ullrich notes that users of Google Desktop Search may be at heightened risk, since the software by default will index any WMF files that is cached or downloaded by the system. Kick off a search that returns a WMF file, and the search viewer will invoke the exploit and expose your system. Ullrich isn't sure, but he suspects Yahoo! Desktop Search and like products would be similarly vulnerable.
This is not the first time an exploit has targeted a graphics renderer, however the lack of any forewarning makes this incident deeply troubling. Microsoft has not yet made any announcement on a fix, but Ullrich says this exploit could be related to one Microsoft patched earlier.
"They have been totally quiet right now," Ullrich says of Microsoft. "They actually patched a WMF issue last month. It may have been the same flaw, I'm not really sure at this point."
Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.