February 3, 2006 11:50AM  |
 Digg It!  Bookmark to del.icio.us |
“The fact is that cyber criminals are opportunistic and will seek any means to take control of users’ systems,” said Stacey Quandt, research director of security solutions and services at Boston, Massachusetts-based I.T. consultancy Aberdeen Group.
 According to Moscow-based antivirus firm Kaspersky Labs, Russian hackers propagated the Windows Meta File (WMF) exploit that wreaked so much havoc on computers in December 2005 by selling it to Internet criminals for $4,000.The exploit took advantage of a bug in Windows’ rendering of WMF images, putting PC users at risk when they visited Web sites that had been infected by the exploit. WMF images are graphical files that can contain both vector and bitmap-based picture information. Microsoft Windows contains procedures for displaying such files, but a lack of input validation in one of these routines leaves unpatched system vulnerable to what is called a buffer overflow, which in turn allows for the execution of remote code by those with malicious intent. The vulnerability, which can be triggered through Internet Explorer, is present in unpatched systems running Microsoft Windows XP SP2. Microsoft Windows XP SP1 and Microsoft Windows Server 2003 systems also are affected. Microsoft was forced to issue an emergency patch to fix the bug on January 5, well ahead of its usual patch schedule.
In a posting on its Web site, Kaspersky said that over a thousand instances of malicious code based on the exploit were detected in a week. But because of the Christmas holiday season, less damage occurred than might have happened otherwise, Kaspersky said. According to Kaspersky researchers, the person who discovered the exploit in early December began selling it by the middle of that month to anyone prepared to pay $4,000. But the antivirus community only identified the exploit on December 27. When antivirus experts reviewed files that had been corrupted by the WMF exploit, they realized that the exploit had originated on Web sites that secretly put adware on Internet users’ PCs. Security analysts have characterized the vulnerability as particularly nasty because there is no built-in protection for browsers that automatically load images when users visit a Web site.
“The fact is that cyber criminals are opportunistic and will seek any means to take control of users’ systems,” said Stacey Quandt, research director of security solutions and services at Boston, Massachusetts-based I.T. consultancy Aberdeen Group. “The WMF vulnerability offers cybercriminals a way to take control of a user’s system for the purpose of identity theft, fraud, or other means for financial gain,” she said. Quandt also said that Microsoft had understood the potential severity of this exploit because it released a patch in advance of its monthly update release last month. “Since then, the window of opportunity for cybercrime for this particular vulnerability is limited to those users who have yet to patch their systems,” Quandt said. In an Aberdeen Group research report on the WMF exploit, Quandt warned PC users to monitor Microsoft’s security alerts and to make sure they downloaded all required patches. Otherwise, users risk their computers being compromised by malicious exploits, she said. Quandt also warned that the exploit had demonstrated that not all antivirus programs are equally effective. While antivirus software from vendors such as Symantec, Sophos, and McAfee identified the exploit, other programs missed it, she pointed out. |
