Microsoft to issue software patch to fix WMF vulnerability

Microsoft Corp. announced today that it has developed and is testing a fix for the Windows Meta File vulnerability and that it expects to release it Jan. 10 as part of its regular monthly release of security patches.

In the meantime, the SANS Institute of Bethesda, Md., has packaged a third-party patch to protect users against the exploits that have become numerous over the past week.

Although some security experts question the wisdom of installing unsupported third-party security patches, the SANS Internet Storm Center says it has verified that the patch works and that the severity of the threat warrants its use.

A link to the patch is available at http://isc.sans.org.

The WMF vulnerability is seen as particularly dangerous because computers can become infected by displaying images containing malicious code on Web sites and in e-mail or other files. Exploits began appearing Dec. 27, before patches for the problem were available, making it more likely that computers would be infected.

Ken Dunham, director of the iDefense Rapid Response Team at Verisign Inc. of Mountain View, Calif., said the threat is escalating, with improved versions of exploits cropping up.

"WMF exploitation has rapidly become a major threat, especially as the workweek resumes after a long holiday weekend," Dunham said. "Hackers are quickly leveraging WMF attacks. Hundreds of hostile sites have been reported and dozens already confirmed. Once a hostile WMF file makes its way to a vulnerable desktop, it's 'game over.' The computer will become infected rapidly unless one of the limited workarounds or a third-party patch are able to block the attack."

The iDefense team has reported that Windows XP with service packs 1 and 2, and Windows 2003 with service pack 1 are vulnerable to the WMF bug. Windows 2000, ME and 98 are not vulnerable.

Antivirus companies have produced signatures for known exploits. Other workarounds include using open source Snort signatures to block attacks, enabling Software Data Execution Protection to block programs, un-registering the shimgvw.dll, blocking WMF file types and configuring Internet Explorer to a high-security level.

None of these is completely successful, however, and new exploits that avoid signatures are being identified.

Microsoft said it began working on a fix for the vulnerability Dec. 27 and has completed the patch.

"The security update is now being finalized through testing to ensure quality and application compatibility," the company said in a statement.

The patch will be available through the automatic Microsoft Update and Windows Update services, as well as through Microsoft's Download Center and through Windows Server Update services for enterprise customers.

William Jackson is a senior writer for Washington Technology's sister publication, Government Computer News.