New vulnerability in Windows systems - no patch available
28 December 2005
Several sources today report about a new vulnerability in Windows systems.
Link to what seems to be a working exploit of an unpatched vulnerability has been published. The exploit code (Proof of Concept) is reported on a special web page that runs a specially crafted Windows Meta File (WMF) in an IFRAME. This WMF file installs a program on the computers that visits the malicious web page.
Users who use Internet Explorer as the browser are reported to get no warnings whatsoever before the program is installed. It is further reported that users of Firefox browser are asked if the user wants to load an image in "Windows Picture and Fax Viewer". Since many users regard images as safe, it is tempting to answer yes and thus being infected.
As of this writing no patch for the vulnerability is available.
Norman advises users to be careful when surfing the Internet, and not visit web sites that seem "suspicious" in name and/or content. One should also be careful before clicking links to web pages received in emails or instant messaging systems.
This Security Advisory will be updated when more information is available.
Update 29 December 2005
Microsoft has published a Security advisory regarding this issue, which is named "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution" (no patch yet, though).
According to this advisory all current Windows versions are vulnerable. Microsoft's advisory is available here (opens in new browser window).
Update 31 December 2005
Norman has released as an Internet Update download to all users of Norman's antivirus solutions, a new scanner engine that is intended to detect generically all malware that utilizes this exploit.
Update 1 January 2006
Another technique to utiliize the vulnerability has been made public. This one is more advanced, and malware that uses this has been seen in-the-wild. Norman today released a new set of virus detection files that detect the known trojan, and shortly thereafter a new scanner engine that aims to detect all malware that utilizes this technique for exploiting the vulnerability.
The risk assessment of this latest malware is set to HIGH by Norman.
Norman views this as a highly dangerous situation: Literally hundreds of millions of Windows-based computers are vulnerable to new variants of exploiting the security hole. There is still no patch available from Microsoft.
We recommend SANS organization's Internet Storm Center (link opens in new window) as a useful, continously updated web site for more in-dept information about this situation.
Update 3 January 2006
The abovementioned advisory from Microsoft is updated with current plans for the release of a patch for this vulnerability.
Part of Microsoft's current statement is:
"(...) Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing. (...)"
Update 4 January 2006
Norman today released a new scanner engine that improves even further detection of malware that utilizes this vulnerability.
Update 5 January 2005
Microsoft has today released a critical update for this vulnerability before the date announced previously (10 January).
You may download the patch from http://windowsupdate.microsoft.com (Internet Explorer is required) or from the Security Bulletin mentioned below.
More information in Microsoft's Security Bulletin MS06-001 (opens in separate browser window).
Norman strongly advices to download the security update as soon as possible.
Per Olav Førland
