01.03.06
“Zero-Day-Attack” Exploits Windows OS
Security experts discovered a serious vulnerability in late December, through which hackers can attack a fully patched Windows XP or Windows Server 2003 system. The vulnerability involves the OS handling a corrupted Windows Metafile (.WMF) graphic file.
Microsoft has not released a fix for the vulnerability, which has already caused significant damage. The company has recommended that users wait until they release their official patch on January 10. Pending availability of Microsoft’s update, users are advised to take the step of disabling .WMF file handling by unregistering the shimgvw.dll file. However, doing so will prevent Windows Picture and Fax Viewer from functioning properly, and will not allow IE to show thumbnails of digital photos. Blocking .WMF files at the firewall would meet with only partial success, because attackers can easily re-name the infected files with a different graphics extension. Referred to as a “zero day” exploit because of the window of opportunity that exists for attack, hackers have been stepping up their efforts to take advantage of the problem before the patch becomes available. Source code and kits for creating attacks based on the vulnerability are widely available on the Internet.
The exploit can take place if a user opens a malicious .WMF file in the Windows Picture and Fax Viewer utility, or previews the file in Windows Explorer. The vulnerability allows an attacker to hide malicious code in an ordinary graphic file that can be spread through e-mail, instant messaging, or on Web pages. There have been hundreds of reports of infected Web sites. An attack can also be triggered simply from visiting a Web site that hosts an infected graphic or by opening up an email displaying the graphic. Unlike many other hacks, which require users to take an overt action such as clicking on an attachment, the attack can be triggered simply from the corrupted file being served to the computer.
The vulnerability can be used to deliver a wide variety of malicious payloads. Early reports of the vulnerability showed that it was being used to install adware and spyware on machines, although it could potentially be used for delivering Trojans and other types of malware as well. The vulnerability is especially dangerous, since antivirus software and IDS signatures do not recognize it.
The SANS Internet Storm Center (www.sans.org) has made available an unofficial patch. Applying the patch will not negatively affect Windows graphics functions. Microsoft does not recommend using any unofficial patches, but other security experts advise against waiting for Microsoft to deliver, and take immediate action to prevent attacks.
[Click here for a Tutorial on disabliling the shimgvw.dll file]