WMF, Flaw, image, Patch, executable, Trojan horse, trusted computing
Microsoft plans to scour its code to look for flaws similar to a recent serious Windows bug and to update its development practices to prevent similar problems in future products.
The critical flaw, in the way WMF images are handled, is different to any security vulnerability the software maker has dealt with in the past, Kevin Kean and Debby Fry Wilson, directors in Microsoft's Security Response Centre, said in an interview with ZDNet UK sister site CNET News.com. Typical flaws are unforeseen gaps in programs that hackers can take advantage of and run code. By contrast, the WMF problem lies in a software feature being used in an unintended way.
In response to the new threat, the software company is pledging to take a look at its programs, old and new, to avoid similar side effects.
"Now that we are aware that this attack vector is a possibility, customers can be certain that we will be scrubbing the code to look for any other points of vulnerability based on this kind of attack," Fry Wilson said.
Microsoft has been working for years to improve its security posture, beginning with its Trustworthy Computing Initiative, launched in early 2002. The WMF problem is not a good advertisement for Microsoft's security efforts, one analyst said, as the legacy issue seemingly went undetected.
"This should have been caught and eliminated years ago," Gartner analyst Neil MacDonald said. "They overlooked image format files, and that is where this WMF issue came in."
Microsoft now faces a race with cybercriminals, who are probably on the prowl for the same bugs as well, experts said. The software maker is in a constant battle with miscreants who seek to attack computer users.
When WMF files were designed in the late 1980s, a feature was included that allowed the image files to contain computer code that could be executed on a PC, said Mikko Hyppönen, chief research officer at Finnish security company F-Secure.
"This was not a bug; this was something that was needed at the time," Hyppönen said. "It is just bad design, design from another era." The graphics file format was introduced with Windows 3.0 in early 1990. Executable code in the image file could help abort the processing of large images on the slow systems of yesteryear, security experts said.
Ilfak Guilfanov, a European software developer who made headlines by beating Microsoft to the punch with a fix for the Windows flaw, agreed. "WMF was designed a long time ago, when information security was not considered an essential part of software design," he said.
Trojan horses, instant messaging worms and thousands of Web sites were found to attack users with specially crafted WMF files. A vulnerable Windows computer might have been compromised simply if the user visited a Web site that contained a malicious image file, or opened such a file in an email message or an Office document.
Many of the attacks installed spyware or other unwanted programs on the PCs of unwitting Windows users. At least a million computers were compromised, according to Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. The WMF issue is also expected to be a conduit for many future threats, experts have said.
Response speed
Microsoft's fix for the flaw was the quickest turnaround ever for a
Microsoft patch, released only 10 days after the vulnerability was made
public, Fry Wilson said.
While Microsoft was able to repair the problem...
For more, click here...
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
Hi Jamie, I'm sorry your comment got caught in the spam filter. We use an industry standard blacklist for this. I suspect that the comment may...
3 hours ago by Karen Friar on Spam? Filter Changed?
Pop - Neither have I. Ever, under any circumstances. I'm much more accustomed to Windows slowly, but inexorably, consuming more and more disk...
4 hours ago by J.A. Watson on Can you believe it - 2765 kB will be freed?
Apple are currently pushing to get tv content on the iPad by April 3rd. This could possibly be seen as a spoiler for that announcement I suppose....
17 hours ago by John Molloy
Hey - presume you mean something that builds on Apple's existing TV device? Apple have already had a couple of runs at building Apple TV and it's...
23 hours ago by Andrew Donoghue on Google's TV timing may reveal more to come
Google, Sony, Intel may build TV project www.zdnet.co.uk/news/emerging-tech/2010/03/18/google-sony-intel-may-build-tv-project-40088359/
23 hours ago on Twitter by BVE2011
70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating,...
1 day ago by ator1940 on Microsoft says it decimated Waledac botnet I agree Roger, and why can't they write secure code? What will happen when they find stolen code in windows? They have a track record of...
1 day ago by ator1940 on Microsoft lashing out at Linux, open source Do you think it will really take days?
1 day ago by ator1940 on Microsoft previews Internet Explorer 9 with HTML 5 support
Wonder how many days it will take before somebody codes an exploitive hack for IE9?
2 days ago by Xwindowsjunkie on Microsoft previews Internet Explorer 9 with HTML 5 support
There are some really good people in Microsoft and I wonder, how embarassing it must be for them to see how the organisation behaves from it's...
2 days ago by roger andre on Microsoft lashing out at Linux, open source On further inspection, it looks like some things are missing, is it possible that there was a time lag between whatever state the site was in that...
2 days ago by J.A. Watson on Welcome to the new ZDNet UK community!
Ok. Now I'm getting annoyed. Previously I could just click on just about any item or comment I saw and get a reply box. How do I manage that...
2 days ago by Tezzer on ZDNet UK: faster, smarter, still IT all the way hey Roger. Think I have spotted a bug as when I click on my name it takes me to the same page as if I had clicked on "Edit Profile". i.e...
2 days ago by Andrew Donoghue on ZDNet UK - Now cleaner than an Archbishop's conscience
Great new look for ZDNET UK web-site http://bit.ly/9R5eAA to check it out @ZDNetUK #zdnet
2 days ago on Twitter by ajclarke
Microsoft previews Internet Explorer 9 with HTML 5 support - zdnet.co.uk http://bit.ly/9FSh23
2 days ago on Twitter by feedfrog
We were just pondering on when IE will get HTML5 and CSS3 onboard! this is excellent
2 days ago by kencogold on Microsoft previews Internet Explorer 9 with HTML 5 support
RT @suziedaniels: relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
2 days ago on Twitter by riptari This is brilliant - I borrowed one and straight away saw that a few AP`s were set up to the wrong country. It gives interference levels on each...
2 days ago by Bob Preece on Fluke Networks AirCheck Wi-Fi Tester
http://www.zdnet.co.uk/news/networking/2010/03/11/european-parliament-votes-down-acta-treaty-40085614/ (Where does this leave #Debill?)
2 days ago on Twitter by _SimonArnoldmeFor multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
Talkback
I thought their goal was to let the consumer find the bugs and then find a patch or include it in the next OS update.
10 Jan 06 13:23 Reply"Microsoft's fix for the flaw was the quickest turnaround ever for a Microsoft patch, released only 10 days "
I sure am glad it doesn't take Linux 10 days to issue patches.
At this point, wouldn't it be easier for Microsoft to locate the fewer lines of code WITHOUT bugs or "design flaws"? I don't understand, wasn't Windows V2 from the 1980s supposed to be when MS fixed the software made it stable, plug and play, and user friendly? It certainly saves them money being able to make the same promises with every future edition of Windows. I bet the 2020 edition advertises itself to be finally stable, secure, free of errors, user friendly etc.... MS must feel we are Charlie Brown to their Lucy with Windows being the football.
10 Jan 06 13:48 ReplyRichard Finkelstein
"I'm about to destroy your life's work...ok?"
The common (and certainly correct) assumption is that, as soon as a vulnerability is discovered in a MS product, malicious hackers start beating on the code in that area to see if they can turn up other exploitable flaws. One might think, then, that MS would do the same. An integer overflow vulnerability was discovered in WMF file rendering in early Nov. '05 and the ISC has received submissions of examples of attacks exploiting the (later) SetAbortProc vulnerability that were apparently in circulation as early as mid-Nov (thus seeming to prove the first assumption above). So - how does this square with Fry Wilson's claim that the MS patch was "the fastest turnaround ever"? Was MS not beating on WMF rendering trying to find other flaws from early-Nov on? Were they so incompetent that they couldn't develop a fix, even though third-party coders had one in a couple of days after the public revelation in late-Dec? Or did they simply not care?
10 Jan 06 14:04 Reply