'Extremely Critical Flaw' in Windows Discovered, Already Exploited

Microsoft Corp. has issued a security advisory for what Secunia is deeming an "extremely critical flaw" in Windows Metafile Format (.wmf) that is now being exploited on fully patched systems by malicious attackers.

Websense Security Labs is tracking thousands of sites distributing the exploit code from a site called iFrameCASH BUSINESS.

That site and numerous others are distributing spyware and other unwanted software, replacing users' desktop backgrounds with a message that warns of spyware infection and which prompts the user to enter credit card information to pay for a "spyware cleaning" application to remove the detected spyware.

Vulnerable operating systems include a slew of Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition.

Also at risk are Windows XP Home Edition and Windows XP Professional, making both home users and businesses open to attack.

In this fluid attack, researchers have kept up a steady stream of new details about the extent of the exploit's reach, with Google Desktop being the latest reported vector.

F-Secure reported on Wednesday that Google Desktop tries to index image files with the exploit, executing it in the process. F-Secure reports that this exploitation-via-indexing may wind up occurring with other desktop search engines as well.

Google had no immediate comment. To avoid the problem, security experts suggest disabling the feature's indexing of media files, or to remove Google Desktop altogether.

A workaround called REGSVR32 has been posted and was included in Microsoft's advisory. However, it should be noted that as of Thursday evening, some security researchers were reporting that the workaround is not fully successful.

The workaround is as follows, as quoted from the advisory:

Un-register the Windows Picture and Fax Viewer (Shimgvw.dll)

1. Click Start, click Run, type "regsvr32 -u %windir%system32shimgvw.dll" (without the quotation marks), and then click OK.

2. A dialog box appears to confirm that the un-registration process has succeeded.

— Click OK to close the dialog box.

Impact of Workaround: The Windows Picture and Fax Viewer will no longer be started when users click on a link to an image type that is associated with the Windows Picture and Fax Viewer.

To undo this change, re-register Shimgvw.dll by following the above steps. Replace the text in Step 1 with "regsvr32 -u %windir%system32shimgvw.dll" (without the quotation marks).

F-Secure notes that this workaround beats filtering .wmf files, given that files with other image extensions — such as BMP, GIF, JPG, JPEG, TIFF, etc. — can be used to exploit machines.

F-Secure also recommends filtering domains at corporate firewalls. These sites should be listed as off-limits:

toolbarbiz.business

toolbarsite.biz

toolbartraff.biz

toolbarurl.biz

buytoolbar.biz

buytraff.biz

iframebiz.biz

iframecash.biz

iframesite.biz

iframetraff.biz

iframeurl.business

F-Secure notes that it's seen 57 versions of this malicious .wmf file exploit as of Thursday, detected as PFV-Exploit.

The security firm is predicting that, even though the exploit has only been used to install spyware or fake antispyware/antivirus software thus far, it anticipates that real viruses will start to spread soon.

According to the Sunbelt Software blog, "any application that automatically displays a WMF image" can be a vector for infection, including older versions of Firefox, current versions of Opera, Outlook and all current versions of Internet Explorer on all Windows versions.

"This is a zero-day exploit, the kind that give security researchers cold chills," according to Sunbelt's blog. "You can get infected by simply viewing an infected WMF image."

According to F-Secure, Trojan downloaders are taking advantage of the vulnerability to install Trojan-Downloader.Win32.Agent.abs, Trojan-Dropper.Win32.Small.zp, Trojan.Win32.Small.ga and Trojan.Win32.Small.ev.

F-Secure also reports that some of the Trojans install hoax anti-malware programs such as Avgold.

F-Secure traced the exploit to Russian sites, one of which is allegedly registered to former Soviet Union President Mikhail Gorbachev.

Sunbelt warns that users are likely to get infected by being directed to one of the sites via spam that offer dirty pictures, free software or other bait.

The attack works by tricking users into opening malicious ".wmf" files in "Windows Picture and Fax Viewer" or by previewing such a file by selecting it in Windows Explorer. The attack can also be triggered automatically when visiting malicious Web sites via Internet Explorer.

Although Secunia deemed the flaw highly critical, at least one security researcher was dismissive of the bug's severity.

Pete Lindstrom, research director for Spire Security LLC, said that at this stage in the game, anything that requires user interaction is hardly worth notice.

"There's no such thing as 'extremely critical' when user interaction is required," Lindstrom said. "That's just silly."

But as far as using IE goes, download of malicious software is automatic, happening immediately upon going to the site, pointed out Alex Eckelberry, president of Sunbelt Software.

"There is no user interaction required," he wrote in an e-mail exchange. "You hit the Web site, you get hit immediately. No prompts, nothing."

John Pescatore, an analyst with Gartner Inc., said that this type of attack may be slowed down by requiring users to click on a malicious .wmf file or to go to a malicious Web site, but that doesn't mean it won't spread fast, given users' willingness to click on bait.

"One of these [attacks] where clicking on a URL [is involved], those can spread pretty fast," he said, given users' proclivity to click away.

"We do online consumer studies. Two years ago, 30 percent had fallen for phishing [schemes]. They entered their user name, password or credit card information. This year, many fewer completely fell for them, but they still clicked on the link in the phishing e-mail."

Given the rise of keystroke loggers that can automatically be downloaded onto a user's system after the user visits a malicious site, that means the Web-surfing population is still ripe for phishing, Pescatore said.

"They're still clicking on links, and whenever malicious software gets installed, that's when you get a critical rating, because all sorts of bad things can happen."

According to Secunia, the vulnerability is caused by an error in handling corrupted .wmf files — a graphics file format used to exchange graphics information between Microsoft Windows applications that can hold vector and bit-mapped images.

Secunia confirmed the vulnerability on a fully patched system running Windows XP SP2. The advisory said that Windows Server 2003 SP0 and SP1 systems have also reportedly been affected.

A Microsoft spokesman told eWEEK in an e-mail exchange on Wednesday that Microsoft "is investigating new public reports of a possible vulnerability in Windows," although he didn't give an ETA for a patch.

"Microsoft will continue to investigate the public reports to help provide additional guidance for customers," he said. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or issuing a security advisory, depending on customer needs."

The spokesman went on to encourage customers to follow Microsoft's Protect Your PC guidelines of enabling a firewall, getting software updates and installing anti-virus software.

Customers who think they've been affected can also contact Product Support Services, which is at 1-866-PCSAFETY in North America or at http://support.microsoft.com/security for outside North America.

Microsoft also advises customers who think they've been attacked to contact their local FBI office or to post the incident on www.ifccfbi.gov. Customers outside the United States should contact the national law enforcement agency in their country, the spokesman said.

The advisory issued by Microsoft later on Wednesday said that Microsoft is aware of the code, which allows an attacker "to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image."

Microsoft's advisory echoed Lindstrom's take, however, stating that attackers have "no way to force users to visit a malicious Web site."

Instead, the advisory continued, attackers have to persuade users to visit the sites, "typically by getting them to click a link that takes them to the attacker's Web site."

The advisory said that Microsoft would either be issuing a patch through its monthly release process or would provide an out-of-cycle security update, "depending on customer needs."

Microsoft's spokesman declined to state how many customers had reported that they had been victimized by the attack.

Secunia advised that users avoid opening or previewing untrusted .wmf files, as well as set security level to "High" in IE.

Lindstrom noted that the long-term answer to dealing with what he called this type of "flotsam and jetsam" of constant security alerts is to install host intrusion prevention software to designate what software is allowed to run on a system and what it's allowed to do.

As far as the short-term response to this particular vulnerability goes, Lindstrom echoed Secunia's advisory when it comes to untrusted files: "Don't click on it," he said.

Editor's Note: This story was updated to include Microsoft's statement, more on the recommended workaround and more details about the exploit from Sunbelt and F-Secure.

Additional reporting by Ben Charny.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.