Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.
The Bug of the Day for January 2006 was written on December 31, just making it under the wire to qualify. It belongs to Microsoft.
Microsoft interrupts everyone’s vacation with news of another vulnerability that could load hostile content onto your computer via a Windows Metafile graphic. The graphic would be hosted on a website, but Microsoft says a user would have to visit the website by clicking on a link — they could not be forced onto the site. There are reports that code to exploit this are already circulating on the Internet. Microsoft has a bulletin which will get updated later.
Why this bug? First is the scope — it affects all Windows users, all versions, from Windows Server 2003 and Windows XP Service Pack 2, all the way back to Windows 98. Second is the relative ease in which an attack using this bug could be triggered. The December 31 report was written before the full scope was known to the public. You could actually be affected via a website, via email, or even just looking at a thumbnail of the graphic file in Windows Explorer. The third reason for picking this is the reaction — mounting criticism of Microsoft’s effort forced the company to release a patch early for the bug.
This is how the rest of the story played out in the BugBlog. On January 3 came these two entries:
The Microsoft WMF bug, from the 12/31 BugBlog, is being taken advantage of by adware vendors and others who don’t have your best interests at heart. A round-up story in eWeek shows that anti-virus vendors are catching up, but don’t offer blanket immunity. Disabling the buggy DLL from Microsoft offers a temporary patch, by preventing Windows Picture and Fax Viewer from opening. It may be possible for this security breach to be exploited by third-party programs that open WMF files. See details, and limitations, of this workaround in the eWeek story.
Microsoft says they will not be releasing their fix for the WMF (Windows Metafile) bug until their regular Patch Tuesday release of January 10. I guess they aren’t worried that it’s a very serious security bug that is very easy to exploit. There is an unofficial patch from the Internet Storm Center at SANS. While the patch was developed by a volunteer, it has been tested at SANS, and the source code is available. Keep on reading the coverage by the Internet Storm Center for a very good FAQ on the problem. The information they give is much more detailed than what you are getting from Microsoft.
On January 4:
At least 70 different IM (Instant Messaging) attacks have been catalogued that attempt to exploit the bug in Microsoft Windows WMF (Windows Metafile) format. Sending an infected file via IM, or sending a link to a website with an infected file, are how IM is used for the attack. Email and websites will be the other common ways to exploit this. Read more at Computerworld.
On January 5:
Most anti-virus programs are catching malicious content trying to sneak in through Microsoft’s unpatched WMF (Windows Metafile) bug. Microsoft still insists on waiting till January 10 to patch this dangerous bug, while an unofficial but safe patch is available from the Internet Storm Center. In the meantime, independent testing shows that Symantec and McAfee were able to catch all 206 of the test files; most other AV vendors, with the exception of Trend Micro, also did well.
On January 6 came the fix:
If enough people complain, I guess that Microsoft will change its mind. The patch for the very dangerous WMF (Windows Metafile) bug was released early, on 1/5/2006. The patch, for Windows 2000, Windows XP, and Windows Server 2003, is a Critical Update that will prevent remote attackers from possibly taking over your computer after you view a WMF graphics file on your computer, in an email, or on a webpage. Now that the “official” patch is out, you will not need the unofficial patch available from the Internet Storm Center.
Powered by Sidelines