A cryptographically signed version of Microsoft Corp.'s patch for the Windows Metafile vulnerability accidentally leaked onto the Internet late Tuesday, adding a new wrinkle to the company's round-the-clock efforts to stop the flow of malicious exploits.
The MSRC (Microsoft Security Response Center) acknowledged that a slip-up caused "a fast-track, pre-release version of the update" to be posted to a security community site and urged users to "disregard" the premature update.
The company's official recommendation is for Windows users to unregister the Windows Picture and Fax Viewer (Shimgvw.dll) and wait for a properly tested patch scheduled for Jan. 10.
Mike Reavey, operations manager of the MSRC, said the appearance of the pre-release code was inadvertent.
"There has been some discussion and pointers on subsequent sites to the pre-release code. We recommend that customers disregard the postings and continue to keep up to date with our latest information on the WMF issue," Reavey said.
A security researcher who had seen the leaked patch told eWEEK it contained an updated GDI32.DLL file that was created by Microsoft immediately after the first exploits started appearing on malicious Web sites on Dec. 27.
Interestingly, Microsoft's patch works seamlessly with the unofficial hotfix from reverse-engineering guru Ilfak Guilfanov. "It looks like Microsoft was right on the ball with a patch and they've done it the right way, taking all things into consideration, including the fact that [Guilfanov's patch] is going to be on a lot of machines," a source said.
Microsoft has frowned on the available of a third-party update, insisting that it cannot vouch for the quality of an unofficial patch that did not go through a full test pass.
Even as Microsoft scrambles to contain a threat that has grown to more than 100 exploits, there is a growing sense that some in the research communityâ€â€and the mainstream mediaâ€â€have overblown the severity of the issue.
Privately, Redmond officials have bristled at attempts to liken the WMF exploits to debilitating network worms like Blaster and Sasser, especially since significant user interaction is required before an attack is successful.
Shane Coursen, senior technical consultant at Kaspersky Lab, said the general feeling was that the vulnerability should be rated "a step below critical."
"If this vulnerability were to be packaged in a completely automated worm in the wild that doesn't require the user to click on anything, then it would be really critical. But there's no automated attack vector here," Coursen said.
However, Coursen said the flaw represents a "very serious" threat that should be fixed as soon as a thoroughly tested patch is available. "It's very important the people follow the advice to unregister Shimgvw.dll and keep anti-virus programs updated. You don't want to overblow the threat but you don't want to give people a false sense of security either."
Marc Maiffret, co-founder and chief hacking officer of eEye Digital Security, said a discussion about the severity of the threat is meaningless.
"There's this mentality among IT people and even at Microsoft that it's not a big threat unless thousands and thousands of users are being compromised. That's not the way to look at it. There's a reason phishing is a huge problem. It's a huge problem because people can be easily tricked into clicking on a bad link. That's why this is a big deal, even if the majority of users aren't being compromised," Maiffret said.
He also warned against believing that the current attacks cannot be automated. "This can be totally automated … because it required a click today [doesn't mean] it will require a click tomorrow. There are plenty of other things you can do to launch an attack from a clean site," Maiffret said.
He referred to a November 2004 incident when hackers broke into a load balancing server that handles ad deliveries for Germany's Falk eSolutions AG and successfully loaded exploit code on banner advertising served on hundreds of Web sites.
"If an attacker breaks into an ISP that hosts images for thousands of good sites, all he has to do is replace those with malicious WMF files. He can break into any high-traffic site and put his image there. That won't require a phishing click," Maiffret said. "You can't rank threats based on how many people are being compromised."
Maiffret, who was crediting with finding and reporting a high-risk WMF bug to Microsoft last year, said IT administrators should avoid rating flaws based on which threats make news headlines.
"If it's not in the news, that's the one you want to be afraid of. There are hundreds of zero-day, targeted attacks happening right now. The ones in the news are the ones we know about. But you can't base security off the worm you read about in the papers. That was how it was in the 1990s. Today, the climate is that you are being attacked by the flaw you don't know about and if it's not found in the wild, you'll never know about it," Maiffret said.
The MSRC (Microsoft Security Response Center) acknowledged that a slip-up caused "a fast-track, pre-release version of the update" to be posted to a security community site and urged users to "disregard" the premature update.
The company's official recommendation is for Windows users to unregister the Windows Picture and Fax Viewer (Shimgvw.dll) and wait for a properly tested patch scheduled for Jan. 10.
Mike Reavey, operations manager of the MSRC, said the appearance of the pre-release code was inadvertent.
"There has been some discussion and pointers on subsequent sites to the pre-release code. We recommend that customers disregard the postings and continue to keep up to date with our latest information on the WMF issue," Reavey said.
A security researcher who had seen the leaked patch told eWEEK it contained an updated GDI32.DLL file that was created by Microsoft immediately after the first exploits started appearing on malicious Web sites on Dec. 27.
Interestingly, Microsoft's patch works seamlessly with the unofficial hotfix from reverse-engineering guru Ilfak Guilfanov. "It looks like Microsoft was right on the ball with a patch and they've done it the right way, taking all things into consideration, including the fact that [Guilfanov's patch] is going to be on a lot of machines," a source said.
Microsoft has frowned on the available of a third-party update, insisting that it cannot vouch for the quality of an unofficial patch that did not go through a full test pass.
Even as Microsoft scrambles to contain a threat that has grown to more than 100 exploits, there is a growing sense that some in the research communityâ€â€and the mainstream mediaâ€â€have overblown the severity of the issue.
Privately, Redmond officials have bristled at attempts to liken the WMF exploits to debilitating network worms like Blaster and Sasser, especially since significant user interaction is required before an attack is successful.
Shane Coursen, senior technical consultant at Kaspersky Lab, said the general feeling was that the vulnerability should be rated "a step below critical."
"If this vulnerability were to be packaged in a completely automated worm in the wild that doesn't require the user to click on anything, then it would be really critical. But there's no automated attack vector here," Coursen said.
However, Coursen said the flaw represents a "very serious" threat that should be fixed as soon as a thoroughly tested patch is available. "It's very important the people follow the advice to unregister Shimgvw.dll and keep anti-virus programs updated. You don't want to overblow the threat but you don't want to give people a false sense of security either."
Marc Maiffret, co-founder and chief hacking officer of eEye Digital Security, said a discussion about the severity of the threat is meaningless.
"There's this mentality among IT people and even at Microsoft that it's not a big threat unless thousands and thousands of users are being compromised. That's not the way to look at it. There's a reason phishing is a huge problem. It's a huge problem because people can be easily tricked into clicking on a bad link. That's why this is a big deal, even if the majority of users aren't being compromised," Maiffret said.
He also warned against believing that the current attacks cannot be automated. "This can be totally automated … because it required a click today [doesn't mean] it will require a click tomorrow. There are plenty of other things you can do to launch an attack from a clean site," Maiffret said.
He referred to a November 2004 incident when hackers broke into a load balancing server that handles ad deliveries for Germany's Falk eSolutions AG and successfully loaded exploit code on banner advertising served on hundreds of Web sites.
"If an attacker breaks into an ISP that hosts images for thousands of good sites, all he has to do is replace those with malicious WMF files. He can break into any high-traffic site and put his image there. That won't require a phishing click," Maiffret said. "You can't rank threats based on how many people are being compromised."
Maiffret, who was crediting with finding and reporting a high-risk WMF bug to Microsoft last year, said IT administrators should avoid rating flaws based on which threats make news headlines.
"If it's not in the news, that's the one you want to be afraid of. There are hundreds of zero-day, targeted attacks happening right now. The ones in the news are the ones we know about. But you can't base security off the worm you read about in the papers. That was how it was in the 1990s. Today, the climate is that you are being attacked by the flaw you don't know about and if it's not found in the wild, you'll never know about it," Maiffret said.