While some security researchers advise Windows users to rush to install an unofficial patch to fix a vulnerability in the way the OS renders graphics files, Microsoft wants customers to wait another week for its official security update, it announced today.
The problem involves the way various versions of Windows handle graphics in the WMF (Windows Metafile) format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. Microsoft published a first security advisory on 28 December, saying it had received notification of the problem on 27 December and was investigating whether a patch was necessary.
On Tuesday, Microsoft updated the advisory to say it had completed development of its own patch, and is now testing it for release next week.
"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on 10 January 2006," said the advisory, the full text of which can be found here.
The company said it carefully reviews and tests its security updates, and offers them in 23 languages for all affected versions of its software simultaneously. It cannot provide similar assurance for independent third-party security updates, it said.
The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability, but the number actually affected so far is relatively low, researchers say.
However, the chance of running into a malicious WMF file is climbing, and with it the danger of running an unpatched system. Already, one security website has had to warn its readers to stay away: the owners of the knoppix-std.org site warned in a forum posting that hackers had modified the site so as to attempt to exploit the vulnerability on site visitors' machines.
There is "a lot of potential risk" associated with the vulnerability, according to Jay Heiser, a research vice-president with Gartner and the company's lead analyst on information security issues. "If it can be exploited in any significant way, it would be an extremely big risk," he said.
"It's a race between Microsoft and the exploit community."
The bad guys had a head start in that race. Security researchers at Websense first spotted malicious websites using the exploit on 27 December, but those sites may have been doing so as early as 14 December, the company said.
On 28 December, Microsoft left the starting blocks with its first security advisory acknowledging a potential problem.
Over the weekend, it updated this to suggest a way in which users could reduce the risk by disabling an affected part of the OS, called shimgvw.dll. Microsoft warned that the fix has the side-effect of stopping the Windows Picture and Fax Viewer from functioning normally. Others report that it also stops Windows Explorer from showing thumbnails for digital photos.
Security researchers outside Microsoft had other ideas: rather than disable shimgvw.dll, they would modify it so that only the functionality considered dangerous was blocked. By New Year's Eve, programmer Ilfak Guilfanov had developed an unofficial patch to reduce the danger of attack, without impairing Windows' graphics functions.
His patch quickly won the support of security researchers including the SANS Institute's Internet Storm Center and F-Secure.
Mikko Hypponen, chief research officer at F-Secure, said he feels safe recommending the Guilfanov patch for several reasons.
"We know this guy. We have checked the code. It does exactly what he says it does, and nothing else. We've checked the binary, and we've checked that the fix works," he said.
In a final vote of confidence, he added: "We've installed it on all our own computers."
Sophos senior security consultant Carole Theriault advised businesses not to install the unofficial patch. "We wouldn't recommend it, for testing reasons," she said.
One of the hidden dangers of the WMF vulnerability is that things are not always what they appear. Usually, WMF files can be identified by their .WMF file extension, and blocked as a precaution, but attackers may choose to disguise malicious files simply by giving them another image file suffix, such as .JPG, because the Windows graphics rendering engine attempts to identify graphics files by their content, not their name. That was the case with a file with the title happynewyear.jpg that began circulating in email messages on 31 December. If opened on a Windows machine, the file attempts to download and install a backdoor called Bifrose.
As a consequence, said Theriault, businesses should keep existing antivirus protection up to date and concentrate on blocking unsolicited mail while waiting for the Microsoft patch, as this may help to screen out attacks. They should encourage users to practise safe computing by only visiting reputable websites and taking care with what they download, she said.