Users of AMD's processors may want to think twice before looking for technical support on the company's website. Customer support discussion forums on the site have been compromised and are being used in an attempt to infect visitors with malicious software, an AMD spokesman confirmed yesterday.
The problem was first reported yesterday in a blog posting by Mikko Hypponen, manager of antivirus research at F-Secure. Yesterday morning, AMD technicians were still working to resolve the problem, according to AMD spokesman Drew Prairie.
Because the firm had just learned of the problem, Prairie could give few details on how the site was compromised or when AMD expected to have the issue resolved. "It's being worked on and corrected," he said.
According to Hypponen, attackers are exploiting a widely reported flaw in the way the Windows operating system renders images that use the WMF (Windows Metafile) graphics format. This flaw was patched on 5 January, so users who are running versions of Windows that have the latest patches installed are not at risk, he said.
Attackers have figured out a way to use AMD's forums to deliver maliciously encoded WMF images to visitors, which are then used to install unauthorised software on the unpatched systems, he said.
In this case, the software appears to be a number of different malicious toolbars. "Most of the toolbars show pop-ups, follow your search and other keyword activity, and use that to target adverts at you," Hypponen said. "It's for-profit hacking. Somebody is making money from each machine that is hit by these toolbars."
Because of the nature of the WMF vulnerability, however, hackers could install any type of software they wanted on unpatched systems, he said.
How the attackers were able to compromise the forums is unclear. Hypponen said the AMD server could have been hacked, but the problem could also be due to an intrusion at an AMD partner website or at an ISP.
These kind of WMF exploits have already been seen on a number of websites, but AMD is the most high-profile victim, Hypponen said. Because users tend to trust content being served by known websites, the hack is particularly troublesome, he added.
Ironically, AMD website visitors who are using chips that support the new DEP (Data Execution Prevention) feature, which prevents software from running where it doesn't belong, are probably protected from the WMF malware. "If you are running an AMD processor with DEP enabled, it likely protects you from the vulnerability that hit you from the AMD site," Hypponen said.