PRESS RELEASE
For release December 30, 2005
Zero-day vulnerability in Windows still unpatched
Hundreds of millions of PCs still at risk; F-Secure able to stop the
malicious files
December 30, 2005
The zero-day vulnerability related to Windows' WMF files first reported on
December 27 is still unpatched by Microsoft. At that time Trojan downloaders
were seen to actively exploit the vulnerability with fully patched Windows XP
SP2 machines.
Windows metafiles are image files used by popular applications such as
Microsoft Word. So far WMF exploits have been typically used to install
spyware and adware although the threat of virus and worm exploits remain.
Users can be infected simply by visiting a web site with an image file
containing the WMF exploit. Internet Explorer users are at the greatest risk
of automatic infection while Firefox and Opera browser users are prompted
with a question whether they'd like to open the WMF image or not. They get
infected too if they answer 'Yes'.
Microsoft and CERT.ORG issued bulletins on the Windows Metafile vulnerability
and also announced a workaround while Microsoft is creating a patch.
Microsoft's confirms that the vulnerability applies to all the main versions
of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003. This means
there are hundreds of millions of vulnerable computers at the moment.
As a precaution, F-Secure recommends administrators to block access to all
WMF files at HTTP proxy and SMTP level. Consumers are also advised to enable
their Windows automatic update system, reject any emails sent to them with
WMF or other dubious-looking attachments and to ensure that their virus
protection is up to date.
F-Secure Anti-Virus detects the offending WMF files with generic detection
either as PFV-Exploit or Exploit.Win32.IMG-WMF.
Speaking about the case, Chief Research Officer at F-Secure, Mikko Hypponen
said: "So far, we've only seen this exploit being used to install spyware or
fake antispyware and antivirus software on the affected machines. I'm afraid
we'll see real viruses using this soon. We've seen 70 different versions of
malicious WMF files so far."
Hypponen pointed out that the WMF exploit has been used with a clear criminal
motivation to install spyware and to dupe ordinary consumers into purchasing
fake security products for their computers:
Until a patch is issued, Hypponen recommended administrators to filter the
following domains at corporate firewalls:
toolbarbiz[dot]biz
toolbarsite[dot]biz
toolbartraff[dot]biz
toolbarurl[dot]biz
buytoolbar[dot]biz
buytraff[dot]biz
iframebiz[dot]biz
iframecash[dot]biz
iframesite[dot]biz
iframetraff[dot]biz
iframeurl[dot]biz
freecat[dot]biz
For updates on the WMF vulnerability, please check the F-Secure Viruslab
blog, which broke the news on 28th of December:
http://www.f-secure.com/weblog/
About F-Secure Corporation
F-Secure Corporation protects consumers and businesses against computer
viruses and other threats from the Internet and mobile networks. We want to
be the most reliable provider of security services in the market. One way to
demonstrate this is the speed of our response. According to independent
studies in 2004 and 2005 our response time to new threats is significantly
faster than our major competitors. Our award-winning solutions are available
for workstations, gateways, servers and mobile phones. They include antivirus
and desktop firewall with intrusion prevention, antispam and antispyware
solutions, as well as network control solutions for Internet Service
Providers. Founded in 1988, F-Secure has been listed on the Helsinki
Exchanges since 1999, and has been consistently growing faster than all its
publicly listed competitors. F-Secure headquarters are in Helsinki, Finland,
and we have regional offices around the world. F-Secure protection is also
available as a service through major ISPs, such as France Telecom,
TeliaSonera, PCCW and Charter Communications. F-Secure is the global market
leader in mobile phone protection provided through mobile operators, such as
T-Mobile and Swisscom and mobile handset manufacturers such as Nokia.
For the latest information about the Windows vulnerability please visit the
F-Secure Data Security Lab weblog at:
http://www.f-secure.com/weblog/
For further information, please contact:
F-Secure Corporation
Mikko Hypponen, Chief Research Officer
PL 24
FIN-00181 Helsinki
Gsm +358 400 648 180
http://www.F-Secure.com
For details about Microsoft's latest announcements about the Windows
vulnerability, please go to:
http://www.microsoft.com/technet/sec...ry/912840.mspx
http://www.kb.cert.org/vuls/id/181038