|
WMF Windows Media File vulnerability = another Windows Major Foul-Up |
|
|
|
|
Thursday, 09 February 2006 |
Microsoft really has improved the security of its code over the last few years. The fact that every now and then a bug like the new WMF bug still comes along just goes to show how careless the old code is. The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences. Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug. As a result, it is surprisingly easy to get hit with this attack, even if you are being careful. Ive heard stories of experienced researchers being hit while researching the attack. One way this might have happened, and its a good example of how easy it is, is through Google Desktop. F-Secure has demonstrated that Google Desktop users can become infected simply by downloading an infected file. When Google Desktop indexes the file it launches the exploit.
Adware sites appear to be going hog-wild with this attack. According to Sunbelt Software, over a thousand sites are spreading more than 50 variants of it, thanks to an underground adware infection network that acts something like the DoubleClick of adware. This appears to be another one of those attacks that will become a permanent part of the Internet landscape. Rather than try to keep the format useful for its customers, Microsoft ought to think of saving the rest of the world; WMF has become poisoned and its time for customers to move on. In fact, given how this exploit works, the situation could be worse. The vulnerability is related to a GDI32 feature whereby WMF files are allowed to register a callback function that will be executed in certain situations. Perhaps resident malicious code could traverse the system and network, infecting all WMF files it encounters by adding this callback to it.... |