Microsoft: Does Intelligent Life Exist In Redmond?
Security Alert!!! A new zero-day vulnerability is being exploited in the Windows Metafile format on the Microsoft Windows platform.
Right before New Year’s Eve, a series of viri were discovered circulating on the Internet that can infect your computer without requiring you to do anything. That’s right, you can get these viri by just having your computer connected to the Internet. These viri take advantage of a very stupid "feature" that is in the Windows Metafile (WMF) image format. All versions of Windows produced from 1991 to the present (apx Windows 3.0 to Windows XP and Windows Server 2003) are effected by this vulnerability. Microsoft currently endorses a workaround that involves the user unregistering a DLL, but this workaround is basically worthless since it only shuts down one avenue that the viri can use to exploit this vulnerability and also breaks the thumbnail display feature in Windows. A much better solution is a small program written by Ilfak Guilfanov and improved with the help of Steve Gibson. You must install the program and reboot your computer for the fix to work. It should shut down every avenue that the viri can use to exploit this vulnerability. The only downside to this patch is that it only works for Windows 2000 and up (sorry Win95 and Win98 users). When Microsoft comes out with an official fix for this vulnerability, you can then uninstall this program. I highly recommend installing this small program due to the extreme ease of contracting one of these viri. Just to give you an idea of how easy it is to get one of these viri, many security experts have infected themselves with these viri without even realizing it.
A little more detail: Most popular graphics formats in use on the Windows platform are raster-based formats. This means that the image is stored as a bunch of individual pixels. Formats such as BMP, GIF, PNG, and JPEG are raster formats. Another type of graphics, vector graphics, are stored as a series of instructions for the program to execute and draw. For example, the file might specify that a black line should be drawn from one point to another, then a red rectangle should be drawn with a set of points for vertices. These images are scalable and generally can be stored in less space, but do not handle real life images. Examples of vector graphics formats are SVG and WMF.
When Microsoft designed the WMF format back in the early nineties, they decided to allow the graphics file to contain program code that would be executed if an error occurred when the drawing instructions in the file were being executed. It might have seemed like a harmless and somewhat useful feature back in the trusting days of computing before the Internet. However, it is now being used as a very easy way to execute arbitrary code on your computer. All you have to do to activate the code is to view the infected image. What makes it even worse is that the image could be masquerading as something other than a *.wmf file. Many of the viri are hidden in GIFs. The virus could be executed by simply viewing a web page that has one of these bad graphics on them. A MSN Messenger version of the virus is also circulating that would infect you the second that you get an IM containing the tainted image. Also, it has been proven that just having the image on your computer without viewing it could lead to you getting infected due to certain content indexers that you might have running on your computer, such as Google Desktop Search.
This is a zero-day vulnerability, meaning that it was exploited before it was discovered by either Microsoft or an external security firm. Microsoft is currently working on a patch for this vulnerability, but they are fighting an uphill battle since almost 100 viri have been discovered to date that exploit this vulnerability. For this vulnerability, you should NOT rely on your anti-virus software to protect you since new variants are being released almost constantly. You can learn more about this vulnerability by listening to the first part of episode 20 (audio – transcript), the episode 20 extension (audio), and by reading the episode 20 show notes of the Security Now! podcast hosted by Leo Laporte and Steve Gibson.
