Charlottezweb

Pasting in full:
Click Here for article (http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html)

----------------------
Windows PCs face 'huge' virus threat
By Kevin Allison in San Francisco
Published: January 2 2006 18:18 | Last updated: January 3 2006 12:01

Computer security experts were grappling with the threat of a new weakness in Microsoft's Windows operating system that could put hundreds of millions of PCs at risk of infection by spyware or viruses.

The news marks the latest security setback for Microsoft, the world's biggest software company, whose Windows operating system is a favourite target for hackers.

"The potential [security threat] is huge," said Mikko Hyppönen, chief research officer at F-Secure, an antivirus company. "It's probably bigger than for any other vulnerability we've seen. Any version of Windows is vulnerable right now."

The flaw, which allows hackers to infect computers using programs maliciously inserted into seemingly innocuous image files, was first discovered last week. But the potential for damaging attacks increased dramatically at the weekend after a group of computer hackers published the source code they used to exploit it. Unlike most attacks, which require victims to download or execute a suspect file, the new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.

"We haven't seen anything that bad yet, but multiple individuals and groups are exploiting this vulnerability," Mr Hyppönen said. He said that every Windows system shipped since 1990 contained the flaw.

Microsoft said in a security bulletin on its website that it was aware that the vulnerability was being actively exploited. However an official patch to correct the flaw was not expected to be released until January 10.

In the meantime, Microsoft said it was urging customers to be careful opening e-mail or following web links from untrusted sources, and provided instructions for a "workaround" that would reduce the likelihood of attacks.

Meanwhile, some security experts were urging system administrators to take the unusual step of installing an unofficial patch created at the weekend by Ilfak Guilfanov, a Russian computer programmer.

Concerns remain that without an official patch, many corporate information technology systems could remain vulnerable as employees trickle back to work after the holiday weekend.

"We've received many e-mails from people saying that no one in a corporate environment will find using an unofficial patch acceptable," wrote Tom Liston, a researcher at the Internet Storm Center, an antivirus research group. Both ISC and F-Secure have endorsed the unofficial fix.

In its security bulletin, Microsoft made a general recommendation against unofficial patches, saying it was "best practice to utilise security updates for software vulnerabilities from the original vendor of the software".

Microsoft routinely identifies or receives reports of security weaknesses but most such vulnerabilities are limited to a particular version of the Windows operating system or other piece of Microsoft software. In recent weeks, the company has been touting its progress in combating security threats.

The company could not be reached on Monday for comment.

--------------------------

Did a little research and found more...

Microsoft's official report of it... (http://www.microsoft.com/technet/security/advisory/912840.mspx)

Quote
Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

QuoteMitigating Factors:

• In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

• In an E-mail based attack involving the current exploit, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. At this point, no attachment has been identified in which a user can be attacked simply by reading mail.

• An attacker who successfully exploited this vulnerability could only gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Quote
What causes the vulnerability?
A vulnerability exists in the way specially crafted Windows Metafile (WMF) images are handled that could allow arbitrary code to be executed.

What is the Windows Metafile (WMF) image format?
A Windows Metafile (WMF) image is a 16-bit metafile format that can contain both vector information and bitmap information. It is optimized for the Windows operating system.

For more information about image types and formats, see Microsoft Knowledge Base Article 320314. Additional information about these file formats is also available at the MSDN Library Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system. This issue is not known to be wormable. In a Web-based attack scenario, an attacker would host a Web site that exploits this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.

How could an attacker exploit the vulnerability?
An attacker could host a malicious Web site that is designed to exploit this vulnerability through Internet Explorer and then persuade a user to view the Web site.

I am reading e-mail in plain text, does this help mitigate the vulnerability?
Yes. Reading e-mail in plain text does mitigate this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk.

EVERYONE should be on heightened alarm right now to avoid clicking email-based links or visiting sites they're not familiar with.  Definitely grab this patch when it becomes available on the 10th if you're running Windows.

Regards,
Jason

More links...

Internet Storm Center (http://isc.sans.org/diary.php?storyid=1009)
M$ to release update on Jan 10.

Viruslist.com (http://www.viruslist.com/en/weblog?discuss=176892530&return=1)

Quote
It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted...

It doesn't seem that the full impact of this is yet known.  I will post more as I hear about it.

Ah yes... one step closer to switching to either Lunix or dare I say... MAC! Actually the only thing holding me back is...

1. I have the Windows version of Adobe Creative Suite 2 (which was a lot of money) and use almost daily.
2. My wireless card doesn't work with Linux :(

If it weren't for some of the purchased business apps I use, I'd do the same.  I have a box 2 feet from me now running FC3 but I haven't had the time I wish to really get to play with it much. 

And now I think FC4 is out :P

What I wouldn't give for a paid year-off to catch up on all the technology I have on my to-do list :)

http://www.cnn.com/2006/TECH/internet/01/04/microsoft.patch.reut/index.html

Microsoft hopes to have virus patch next week

QuoteNEW YORK (Reuters) -- Microsoft Corp said it hopes to have a patch ready next week to fix the most recent flaw found in its Windows program -- a flaw that could leave computers vulnerable to a virus.

The software giant said in a statement it had "completed development of a security update to fix the vulnerability" that it discovered last week.

The update is being finalized and the company hopes to release it on January 10.

Microsoft added it has been monitoring any attempts to attack the vulnerability in Windows.

"Although the issue is serious and the attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks is limited," it said.

The flaw in the system lets computers come under attack if users visit harmful Web sites or open e-mail attachments.

Until the patch is released, Microsoft said computer users should be careful not to visit unfamiliar Web sites.

And it's released ... 5 days early.

Instructions and file here:
http://www.microsoft.com/athome/security/update/bulletins/200601_WMF.mspx

Article from CNN:
http://www.cnn.com/2006/TECH/internet/01/06/wmfflaw/index.html

Quote
Windows users pushed Microsoft to release patch
Vulnerability left PCs open to viruses, spyware

Friday, January 6, 2006; Posted: 11:35 a.m. EST (16:35 GMT)
(CNN) -- Windows users worried about malicious attacks helped prod Microsoft to release a patch for a vulnerability five days earlier than expected.

For more than a week, criminal hackers have been exploiting the flaw in some Windows graphics files, known as Windows Meta File, or WMF.

"While we would always like to have more time, we are confident in the quality of the update," wrote Mike Nash, corporate vice president for security at Microsoft in the Microsoft Security Response Center Blog.

"While there is no imminent threat, a number of customers are seeing exploit traffic hitting their AV (anti-virus), IDS (intrusion detection system) and IPS (intrusion prevention systems).

Until the patch release Thursday, the software giant had planned to make the fix available along with all its other security updates for this month on Tuesday, January 10.

There is a link to the fix on the Microsoft home page, which should protect Windows users from being infected with the malicious code.

Customers who use the "automatic updates" function will receive the patch automatically and do not need to take further action.

About 90 percent of computer users worldwide use some form of the Windows operating system.

Unusual feature
Microsoft became aware of the malicious attacks December 27.

User concerns were heightened because of an especially dangerous aspect of these attacks: Your computer could be infected with viruses, spyware or other malicious programs just by viewing a Web page, an e-mail message, or an Instant Message that contained one of the contaminated images.

Computer security experts have been dealing with scores of variations on the attack since it was discovered.

"Nobody knew it was coming," security expert Rick Howard of Counterpane Internet Security said. "There was no security intervention or mitigation for it."

Unlike infamous computer worms and viruses like Blaster, Code Red or I Love You, the WMF attack is not spreading like wildfire across the Internet.

Most of the malicious efforts fit the patterns of recent attacks. They are not designed to earn bragging rights for a brash programmer, but instead are likely tied to theft, fraud and organized crime.

Some of the exploits so far identified are designed to steal passwords. Others install computer code that turns machines into zombies, which can then be controlled remotely to spew spam and viruses.

Microsoft issued its first security advisory on the issue December 28, the day after it became aware of the attacks.

Although the Microsoft security advisory characterized the attacks as "not widespread," there was an intense focus on the attacks and malicious possibilities across tech Web sites.

In a somewhat unusual development, an unofficial, third-party patch was posted on the Web several days before Microsoft's official fix.

That patch was created by Russian engineer Ilfak Guilfanov, and is available through the SANS Internet Storm Center, http://isc.sans.org/, and other security-related Web sites.

Although Howard said Guilfanov's fix has been tested and is being released by the "good guys," there can be complications, even with official patches.

Something designed to fix one problem, like the WMF exploit, can sometimes wreak havoc on other computer components. Although tech-savvy home users who are aggressive about their security might download and install the unofficial patch with no problems, Howard said the average home user, and big companies with complex computer networks, would do better to use the official Microsoft fix.

Microsoft's Nash acknowledged the complexity of security patches in his blog.

"Actually creating the update was a straightforward process. The challenge was testing the update on all of the supported versions of Windows and the 23 languages we support and making sure that the set of applications that might be affected by this update are not negatively affected by this change," he wrote.

Computer security companies recommend several safe-computing practices. A few tips:

Stay away from unfamiliar Web sites, as they are more likely to host malicious code
Ignore links in e-mail messages from unknown sources
Install a personal firewall
Keep antivirus and antispyware software up to date.

"The good news for home users is that most standard antivirus vendors are keeping up to date, and as long as they download the right signature, they'll be OK," Howard said.

Get it while it's hot :)

Got mine last week through Auto-Update