Microsoft Windows’ Zero-Day WMF flaw threats widespread; Macintosh unaffected

“As bleaker details emerged Thursday about the threat posed by a zero-day vulnerability in Windows, Microsoft said it would produce a patch for the flaw but declined to put the fix on a timetable,” Gregg Keizer reports for TechWeb News. “In a security advisory posted on its Web site, Microsoft confirmed the vulnerability and the associated release of exploit code that could compromise PCs, and listed the operating systems at risk. Windows 2000 SP4, Windows XP [Service Pack 1 and Service Pack 2 as well as Windows Server 2003 with Service Pack 0 and Service Pack 1 – source: Secunia, see below], Windows Server 2000, Windows 98, and Windows Millennium can be attacked using the newly-discovered vulnerability in WMF (Windows Metafile) image file parsing, said Microsoft.” It can be exploited when an Internet Explorer user, or Firefox user visits a Web site that has malicious code on it or when a user previews .wmf format files with Windows Explorer.

“And other details began emerging Thursday that indicated the threat may be worse than originally believed,” Keizer reports. “‘It’s really easy to get this thing,’ said Shane Coursen, a senior technical analyst with Moscow-based Kaspersky Labs. ‘The exploit will even work through a DOS box.’ … At the moment, say the experts, exploits are “only” installing spyware and/or fake anti-spyware software. That’s bad enough, said two security firms, including one that specializes in combating spyware. ‘Now we’re seeing many more using this to install bad stuff,’ said Alex Eckelberry, president of anti-spyware developer Sunbelt Software. ‘This is a really bad exploit. Be careful out there.'”

Full article here.

Secunia Advisory: Microsoft Windows WMF “SETABORTPROC” Arbitrary Code Execution
• Extremely critical
• Description: A vulnerability has been discovered in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error in the handling of Windows Metafile files (“.wmf”) containing specially crafted SETABORTPROC “Escape” records. Such records allow arbitrary user-defined function to be executed when the rendering of a WMF file fails. This can be exploited to execute arbitrary code by tricking a user into opening a malicious “.wmf” file in “Windows Picture and Fax Viewer” or previewing a malicious “.wmf” file in explorer (i.e. opening a folder containing a malicious image file).

The vulnerability can also be exploited automatically when a user visits a malicious web site using Microsoft Internet Explorer.

NOTE: Exploit code is publicly available. This is being exploited in the wild. The vulnerability can also be triggered from explorer if the malicious file has been saved to a folder and renamed to other image file extensions like “.jpg”, “.gif, “.tif”, and “.png” etc.

The vulnerability has been confirmed on a fully patched system running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 SP0 / SP1 are reportedly also affected. Other platforms may also be affected.

Secunia Advisory here.

“Microsoft really has improved the security of its code over the last few years. The fact that every now and then a bug like the new WMF bug still comes along just goes to show how careless the old code is,” Larry Seltzer reports for eWeek. “The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences. Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug… I’m hesitant at this point to go into details until there is a patch, but my own research confirms that the potential for spreading this attack far and wide is immense and that easier vectors than Web pages exist.”

“Adware sites appear to be going hog-wild with this attack. According to Sunbelt Software, over a thousand sites are spreading more than 50 variants of it, thanks to an underground adware infection network that acts something like the DoubleClick of adware,” Seltzer reports. “Rather than try to keep the format useful for its customers, Microsoft ought to think of saving the rest of the world; WMF has become poisoned and it’s time for customers to move on.”

Full article here.
Windows-only users, are you enjoying your experience, yet? Have you finally had enough? There is a better way. A far, far, far better way: Macintosh. Because life’s too short.

Advertisements:
The New iPod with Video. The ultimate music & video experience on the go. From $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.00.
The New iMac G5. Built-in camera and remote control. From $1299. Free shipping.
Apple USB Modem. Easily connect to the Internet using your dial-up service. $49.00.

Related MacDailyNews articles:
Mac tips for former Windows users – December 28, 2005
Switching from Microsoft Windows to Apple Macintosh – December 04, 2005
Apple’s Mac OS X, Safari web browser show market share gains – December 03, 2005
Want to switch to Mac? Mossberg answers common questions – November 10, 2005
Why people are switching from Microsoft’s Windows to Apple’s Mac OS X – November 09, 2005
Windows PC retailers face tough holiday season, meanwhile Apple stores are packed as Mac sales surge – November 09, 2005
Analyst estimates over a million Windows to Mac switchers during 2005’s first three quarters – November 07, 2005
Windows sufferers: It’s not your fault, but it is your problem – switch to Mac – November 07, 2005
Tech writer: Windows PCs highly vulnerable to zombie hijacking; get an Apple Mac instead – November 06, 2005
Windows switchers, now’s your chance: Apple Mac mini with Mac OS X Tiger for $379 – November 03, 2005
Computer columnist: anti-virus software purely optional for Apple Macs, not so for Windows – November 01, 2005
Microsoft apologists and why Apple’s Mac OS X has zero viruses – October 24, 2005
Mossberg: Switching from Windows to Mac – software not an expensive proposition – September 30, 2005
Windows to Mac switchers: recommendations and Total Cost of Ownership analysis – September 29, 2005
Switching from Windows to Mac is easy and liberating – September 14, 2005
Mossberg offers resources for Windows users interested in switching to Apple Mac – August 18, 2005
Windows users’ questions and concerns answered about Windows to Mac switch – July 27, 2005
Get your Outlook info off your PC and onto your Mac – March 05, 2003
The best way to transfer Windows Outlook folders to Mac OS X – January 22, 2003

Security company Sophos: Apple Mac the best route for security for the masses – December 06, 2005
Microsoft Windows virus spreads rapidly; Apple Macintosh unaffected – November 28, 2005
Computer columnist: anti-virus software purely optional for Apple Macs, not so for Windows – November 01, 2005
Microsoft apologists and why Apple’s Mac OS X has zero viruses – October 24, 2005
NY Times’ Pogue: Apple’s iMac G5 with sleek, virus-free, spyware-free OS earns place in living room – October 19, 2005
$500 bounty offered for proof of first Apple Mac OS X virus – September 27, 2005
Symantec: 10,866 new Microsoft Windows virus and worm variants in first half 2005 – September 19, 2005
How to avoid viruses and malware? Dump your Windows PC and get an Apple Macintosh – August 22, 2005
Do Apple Mac OS X users need antivirus software? – August 22, 2005
ZDNet: How many Mac OS X users affected by the last 100 viruses? None, zero, not one, not ever – August 18, 2005
Hackers already targeting viruses for Microsoft’s Windows Vista – August 04, 2005
16-percent of computer users are unaffected by viruses, malware because they use Apple Macs – June 15, 2005
Intel CEO Otellini: If you want security now, buy a Macintosh instead of a Wintel PC – May 25, 2005
There are no viruses for Apple’s Mac OS X – May 13, 2005
Apple touts Mac OS X security advantages over Windows – April 13, 2005
97,467 Microsoft Windows viruses vs. zero for Apple Mac’s OS X – April 05, 2005
Apple’s Mac OS X is virus-free – March 18, 2005
Cybersecurity advisor Clarke questions why anybody would buy from Microsoft – February 18, 2005
Security test: Windows XP system easily compromised while Apple’s Mac OS X stands safe and secure – November 30, 2004
Microsoft: The safest way to run Windows is on your Mac – October 08, 2004
Information Security Investigator says switch from Windows to Mac OS X for security – September 24, 2004
New York Times: Mac OS X ‘much more secure than Windows XP’ – September 18, 2003
Defending Windows over Mac a sign of mental illness – December 20, 2003

41 Comments

  1. hey i just read this article about the N.S.A. using “cookies” to track peoples computers surfing the “internets” does this affect Macs too? i want to know

    Yes, it affects Macs. MacDailyNews uses cookies. (I think they are part of MDN’s trying to send any user only one pop-under ad a day.) Almost every commercial website uses them. For instance, that’s how Amazon.com, etc. know it’s you when you visit their site days later.

    Unless you are ulta-paranoid, don’t worry about it. (Have you been surfing sites you don’t want others who have access to your computer to find out about – e.g. PORN?)

    If you do worry about it, delete your cookies with some frequency. In Safari, it’s under Safari>Preferences, the Security tab. You can view what cookies you have and then delete some or all of them. You can also totally disable receiving cookies but be forewarned that some sites will not work with cookies diabled. Some will give you a warning and ask you to turn them on. Others will simply not work right.

    Some other browsers (Opera?) can be set to delete all cookies upon exit (or was that start up. While I have used Firefox & Camino some, I haven’t looked into all their cookie handling options. I don’t do IE.

    Does anyone have any comments about other browsers?

    Technical explanation: The Web is “stateless”. It does not remember the last page you were at. Thus cookies are often used to preserve individualized information as you go from page to page within a site. Cookies are supposedly only accessible to the web site that created them – MDN can’t look at your Apple.com cookies and vice versa. Though I am not sure what the latest info on that is.

    Can anyone comment.

    Where the NSA got in trouble is their website was found to be using cookies. Under US law, it is illegal for the NSA to collect ***ANY*** information about US citizens. Under the law, cookies qualify as data collection. From other articles I saw today, the NSA did not have cookies on their original websit, but software was changed, someone got sloppy or lazy, etc., etc., and they wound up with cookies on their website. They are now supposedly removed, after they were brought to the NSA management’s (and US lawmakers & other regulatory & watch dog groups) attention.

    Does that answer your question?

  2. That’s it, I’m switching to Windows. With the hundreds of patches so far, it HAS to be the most secure OS out there! This “zero-day” attack has to be the last!

    Billy, I’m bending over, c’mon in!

  3. Man I LOVE reading about all these Windows problems! Gives me a warm fuzzy feeling inside knowing I dumped that POS OS 5 years ago!

    Got to love it! Keep up the great work Microsoft!

  4. Joe the Farmer said: “… when Mac OS X gains share and we start seeing viruses show up for it.”

    Knuckle head, this false logic, “security by obscurity®” doesn’t hold water. How many millions more of OS X installations will qualify it as not obscure?

    Since Windows Pasta (a.k.a Stillborn) will be quite “popular” does that mean it will be as insecure as its predecessors?

    Gee, I wonder if it’s the underlying code of an OS that makes it secure or insecure?

    Fool.

    ” width=”19″ height=”19″ alt=”raspberry” style=”border:0;” />

  5. Lost Budgie,

    You can’t have been more happy with that luggable Kaypro than you are with Mac OS X!!! I used one of those for awhile and absolutely hated it. Sure it was great back then, but you can’t even compare it today. Did you have to use that horrible word processor, WordStar on that thing? Yuck!

  6. And now for another broken record apology by the MS Press fanboys

    “Microsoft really has improved the security of its code over the last few years. The fact that every now and then a bug like the new WMF bug still comes along just goes to show how careless the old code is,” Larry Seltzer reports for eWeek. “The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.

    ba.. dump.. dump… chhhhh

    Larry, Rob, and those of your ilk, your story is getting old. There is NO EXCUSE for missing something like this. Stop making excuses for these losers and move into the 21st century.

  7. I guess you guys missed all those proven vulnerabilities that were found in OS X. Too busy drinking your kool-aid?

    Look, I’m a mac user. I use macs. I love macs. But I’m not an idiot, and I don’t feel the need to delude myself into thinking my machine is invulnerable. I’ll grant that OS X has some things going for it. But to think that it is invincible is idiotic. It has been proven in the past that Apple can be hacked (think Fairplay, OSx86). There have been proof of concept viruses. Apple still releases frequent security updates.

    OS X is not totally secure. If enough hackers get interested, there will be exploits. No piece of software is flawless. This is a simple fact.

    As much as you and I might want Apple to succeed, there WILL be mac viruses. And I think you guys are really setting yourselves up to eat some serious crow when they start showing up.

  8. Its sill amazes me that a company of MS’ size with the amount of money at their disposal, the resources that they could afford can’t get their shit together. I wonder what Apple could do with what MS has….

  9. Joe:

    I personally think there are some out there trying very hard to create a virus for the Mac. Remember, to be malicious, it must replicate itself and move from one Mac to another.

    Of course Apples can be hacked (if it’s standing still). Fairplay and OSx86 were more along the lines of reverse engineering. Also, they weren’t intended to take over and exploit every Mac they came across on the internet. Just going to a website did not install OSx86 on a Mac and make it execute the code.

    We keep reading about FUD from some of these security firms and they swear they have found a vulnerability (as long as you invite them over, give them access to your Mac, and give them your admin password so they can prove to you it exists). Nothing in the wild as of yet.

    Nothing!

    I am not saying the Mac is invulnerable (I try to stay away from absolutes when it comes to security), but I believe it is very, very secure.

    The first person to create a real virus for OS X will be famous the world over and will be a hero to Windows apologists everywhere. I don’t believe for a moment that some very talented people aren’t working on trying to achieve just one real security exploit for Mac.

    That alone would make their whole career. To be the guy who cracked the Mac and made all the Mac-heads cry. There is a lot riding on this and you can bet there are people out there trying their hardest.

    Will we have to eat crow? I’m not eating until someone proves to me Macs are as insecure as Windows PCs.

    Don’t bother me if the first flaw shows up, call me when we reach 100,000.

    ~M

  10. qka

    Excellent explanation of cookies. It should be pointed out that they can only be retrieved by the domain that sets them; NSA can’t fetch your Amazon cookies to see if you expressed an interest in <i>Partying with Osama<i>.

    NSA (and other gov’t agencies) are allowed to use session cookies, that go away when you quit your browser – the issue here is persistent cookies – which can be used, but such use needs to be justified and explicitly explained in the site privacy policy page.

    Supposedly, the NSA cookie thing is an error resulting from a software upgrade in which the new software by default used persistent cookies. This is somewhat plausible, but the CIA a couple of years ago had the exact same “problem” and got caught; one would think that the NSA would have learned from the error of their sister agency.

    More to the point, this “error” comes on the heels of the far more serious NSA warrantless wiretap issue. I suspect that the cookie “problem” exists solely to divert some attention from that and to conflate the two issues, to ultimately minimize the seriousness of the apparently criminal wiretapping.

    MW: “police” – I’m not kidding. How appropriate.

  11. All the patches that M$ produces must take a lot of resources and cost them a lot of money. I wonder just how large a line item it is for them? At some point, it’s gonna reach a critical mass for them.

    Joe – get back on the turnip truck. Sorry, i couldn’t resist. But really, you make a valid point, that no OS is perfect. What you fail to realize, though, because you aren’t a software engineer, is that MacOS X is engineered, whereas Windoze is not, and therein lies the difference. MacOS X will never be the mess that Windoze is (unless Apple fires all it’s software engineers and hires all of M$’s programmer monkeys).

    Like Mozfan seyz, the fact there isn’t a MacOS X virus to date has nothing to do with marketshare nor lack of effort by hackers et al. You can bet that Symantec is hard at work trying to produce the first one, so they have something to point to when trying to sucker Mac users into buying their Mac Trojan (Symantec Virus Software, er, Anti-Virus).

    I suspect the only anti-virus software a Mac user will ever need is Apple’s free Software Update. Crow will not be on the menu in the realm of Macintosh.

  12. On the subject of Cookies, does anyone else want what I want…ie: to delete at the end of every session cookies from ALL sites other than those I select to keep. That way I only keep the cookies that enable me to ‘stay logged in’ to sites and not keep re-inputting passwards. Thus my friendly MDN ‘do no harm site’ cookies stay, while external advertising, unknowns and others get whisked off into the ether..

    Wouldn’t that be the best?

  13. Microsoft employees at it again in 2005 I see from the Darwin awards:

    (31 May 2005, Seattle, Washington) Strength and endurance are two of
    the most important characteristics that can be passed on to improve
    the species, so physical challenges between males are frequent. In
    this case, two drinking buddies found themselves on an overpass 40
    feet above a busy freeway in downtown Seattle at 2:45 a.m. It turned
    out to be the perfect place to determine who had more strength and
    endurance. Whoever could dangle from the overpass the longest would
    win!

    Unfortunately, the winner was too tired from his victory to climb back
    up, despite help from his 31-year-old friend. The unidentified
    champion fell smack into the front of a semi-truck barreling down the
    highway at 60 mph and bounced onto the pavement, where he was hit by a
    car. The car did not stop. Authorities did not identify the winner
    of the competition.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.