Windows image flaw threatens users

Share this article:

PC users were warned this week about a vulnerability within Microsoft Windows that can be exploited by viewing a malicious website.

Malicious users had set up attack websites to exploit the image vulnerability, from which they could execute arbitrary code, cause a denial of service condition or take complete control of an infected PC, the U.S. Computer Emergency Readiness Team and multiple security firms warned.

US-CERT said that the vulnerability could affect users of Internet Explorer and Mozilla Firefox, and warned users not to view files they did not recognize.

"Although there is limited information concerning this reported vulnerability, US-CERT encourages users not to view .wmf files and system administrators to block .wmf files at the HTTP proxy and the SMTP level," the agency advised.

F-Secure told users that the new zero-day WMF exploit was easy to stumble upon.

"Do note that it's really easy to get burned by this exploit if you're analyzing it under Windows. All you need to do is to access an infected website with IE or view a folder with infected files with the Windows Explorer," F-Secure researcher Mikko Hypponen warned on the firm's website. "You can get burned even while working in a DOS box!"

Secunia called the threat "extremely critical" and warned users only to open or preview image files from trusted sources.

"Do not save, open or preview untrusted image files from email or other sources, or open untrusted folders and network shares in explorer," the firm said in an advisory. "The risks can be mitigated by unregistering shimgvw.dll. However, this will disable certain functionalities. Secunia does not recommend the use of this workaround on production systems until it has been thoroughly tested."

Computer Associates classified the vulnerability as "high," and said it could possibly be exploited by numerous kinds of files.

"Use of the Windows Picture and Fax Viewer is one known vector of attack through the automatic display of certain metafiles. Known file types that will launch Windows Picture and Fax Viewer when opened are .wmf, .emf, .gif, .jpeg, .jpg, .bmp, and .png," CA said. "Note: Additional attack vectors may exist."

Microsoft released a statement Thursday saying the company is investigating the incident and will take appropriate measures as the investigation proceeds. It did not tip its hand on whether it would release a patch outside of its monthly cycle.

"Microsoft is actively monitoring this situation to keep customers informed and will provide additional customer guidance as necessary. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers," the Redmond, Wash., computing giant said. "This will include providing a security update through our monthly release process or providing an our-of-cycle security update, depending on customer needs."

Shane Coursen, senior technology consultant with Kaspersky Lab, said workers returning to offices after New Years Day could create epidemic conditions for the new threat.

'When people start coming back in to work after the New Year, and if by that time somebody figures out how to package this exploit in the form of a self-propagating worm, we could then see a spike in prevelance," he said. "In order for a worst-case New Year scenario to be avoided, it might depend on how many computers are protected via the MS workaround (assuming it is a solid and acceptable temporary solution), and by people's awareness of the threat."

Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in News

Sign up to our newsletters

TOP COMMENTS

More in News

Florida Supreme Court rules warrants a must for real-time cell location tracking

Florida Supreme Court rules warrants a must for ...

The Florida Supreme Court put the kibosh on warrantless real-time tracking using location data obtained from cell phone providers.

Modular malware for OS X includes backdoor, keylogger components

Modular malware for OS X includes backdoor, keylogger ...

The modular malware was named "Ventir," by researchers at Kaspersky.

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.