Zero-day vulnerability in Windows still unpatched

The zero-day vulnerability related to Windows' WMF files first reported on December 27 is still unpatched by Microsoft. At that time Trojan downloaders were seen to actively exploit the vulnerability with fully patched Windows XP SP2 machines.

Windows metafiles are image files used by popular applications such as Microsoft Word. So far WMF exploits have been typically used to install spyware and adware although the threat of virus and worm exploits remain.

Users can be infected simply by visiting a web site with an image file containing the WMF exploit. Internet Explorer users are at the greatest risk of automatic infection while Firefox and Opera browser users are prompted with a question whether they’d like to open the WMF image or not. They get infected too if they answer ‘ Yes’.

Microsoft and CERT.ORG issued bulletins on the Windows Metafile vulnerability and also announced a workaround while Microsoft is creating a patch. Microsoft's confirms that the vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003. This means there are hundreds of millions of vulnerable computers at the moment.

As a precaution, F-Secure recommends administrators to block access to all WMF files at HTTP proxy and SMTP level. Consumers are also advised to enable their Windows automatic update system, reject any emails sent to them with WMF or other dubious-looking attachments and to ensure that their virus protection is up to date.

F-Secure Anti-Virus detects the offending WMF files with generic detection either as PFV-Exploit or Exploit.Win32.IMG-WMF.

Speaking about the case, Chief Research Officer at F-Secure, Mikko Hypponen said: “So far, we've only seen this exploit being used to install spyware or fake antispyware and antivirus software on the affected machines. I'm afraid we'll see real viruses using this soon. We've seen 70 different versions of malicious WMF files so far.” Hypponen pointed out that the WMF exploit has been used with a clear criminal motivation to install spyware and to dupe ordinary consumers into purchasing fake security products for their computers:

Until a patch is issued, Hypponen recommended administrators to filter the following domains at corporate firewalls:

toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz
freecat[dot]biz

For updates on the WMF vulnerability, please check the F-Secure Viruslab blog, which broke the news on 28th of December: http://www.f-secure.com/weblog/

For further information, please contact:

F-Secure Corporation
Mikko Hypponen,
Chief Research Officer
PL 24
FIN-00181 Helsinki
Gsm +358 400 648 180