If there’s one thing that should have been relied upon during the holiday season it was that electronic attackers would stop their work while most offices stopped theirs. And so inevitably there was a zero-day attack exploiting a flaw in the Windows Metafile Format (WMF).
The flaw was considered serious enough for the august Sans Institute to break its usual protocols and to recommend that you should install an unofficial patch rather than wait for Microsoft to install one.
The attack was first discovered on 26 December and with it, computers based on Windows XP/ Server 2003 can be penetrated through vulnerability in the way the systems handle some WMF graphic files.
It has been given the descriptor HappyNY.A and comes in the form of an email with the subject line ‘Happy new year’. The email contains an attached file called HappyNewYear.jpg, which can install a Trojan on your computer when executed, in some cases by simply viewing the infected image and not necessarily by clicking on anything or opening any files.
Microsoft is assuring its customers that whilst it regards the issue as serious and that danger from attacks is real, it ultimately believes that the scope of the attacks is limited. It says that the attacks exploiting the WMF vulnerability are being effectively mitigated by anti-virus companies with up-to-date signatures.
Yet the assessment from the Sans Institute is markedly more serious. The Institute believes that the threat posed by the flaw in Windows WMF files is increasing and that hundreds of sites are using exploits for the flaw to install malicious software on Windows-based computers.
It adds: “What makes the WMF vulnerability particularly insidious is that it can infect computers when users merely visit sites or view a maliciously crafted image in the preview pane of older versions of Microsoft Outlook; machines can become infected without requiring the user to click on anything or open any files. Microsoft is investigating the issue and says it will issue a patch, but has not yet said when that patch will be available. The Sans Internet Storm Centre recommends applying an unofficial patch.”
Development of a patch continues apace and Microsoft says the security update is now being finalised through testing to ensure quality and application compatibility. It is likely to be launched on 10 January as part of Microsoft’s monthly release of security bulletins on the second Tuesday of each month.
Whilst security professionals will undoubtedly appreciate Microsoft’s efforts to release rigorously tested patches, the launch will be over two weeks after the original attack was discovered, hence prompting the advice of the Sans Institute.