Microsoft is still working on a fix for a serious flaw in its OS, leaving people to face a week of increasingly sophisticated attacks.
That could be too late, security experts said. The vulnerability, which lies in the way the operating system renders Windows Meta File images, could infect a PC if the victim simply visits a Web site that contains a malicious image file. Consumers and businesses face a serious risk until it's fixed, experts said.
"This vulnerability is rising in popularity among hackers, and it is simple to exploit," said Sam Curry, a vice president at security vendor Computer Associates International. "This has to be taken very seriously, and time is of the essence. A patch coming out as soon as possible is the responsible thing to do."
The delay will leave businesses and consumers unprotected during seven days of attacks that promise to become increasingly sophisticated, experts warn.
Microsoft has come under fire in the past for the way it releases security patches. The company has responded in the past by instituting a monthly patching program, so system administrators could plan for the updates. Critics contend that in high-urgency cases such as the WMF flaw, Microsoft should release a fix outside of its monthly schedule.
Details on the WMF security problem were publicly reported last week. Since then, a number of attacks that take advantage of the flaw have surfaced, including thousands of malicious Web sites, Trojan horses and at least one instant messaging worm, according to security reports.
More than a million PCs have already been compromised, said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. He has found a hidden Web site that shows how many copies of a program that installs malicious software have been delivered to vulnerable PCs.
Microsoft has said that a patch will not be made available until Jan. 10, its next official patch release day. That delay could provide an opportunity for attackers, security provider Symantec said on Tuesday.
"There is a potential 7-day window for which attackers could exploit this issue in a potentially widespread and serious fashion," Symantec said in a notice sent to subscribers of its DeepSight alert service.
Hackers have been quick to craft tools that make it easy to create malicious image files that advantage of the flaw, experts said. These new files can then be used in attacks. The tools themselves can be downloaded from the Internet.
Many of the attacks today use the unpatched bug to attempt to install unwanted software, such as spyware and programs that display pop-up advertising, on Windows PCs. The flaw affects all current versions of the operating system, and a vulnerable system can be attacked simply if the user views a specially crafted image, according to a Microsoft security advisory.
In most cases, the attacks require a user to visit a malicious Web site, but the schemes are likely to become more sophisticated, antivirus specialist Marx said.
"I'm sure it's just a matter of days until the first (self-propagating) WMF worm will appear," he said. "A patch is urgently needed."
Microsoft is urging people to be cautious when surfing the Web. "Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code," it said in its advisory.
But most ordinary PC owners simply aren't aware of this type of threat, said Stacey Quandt, an analyst with the Aberdeen Group. "There are a lot of Windows users who aren't paranoid enough about never clicking on an unknown link," she said.
Microsoft has completed a fix for the problem and is currently testing and localizing the update into 23 languages, the software maker said in its advisory, updated on Tuesday. "Microsoft's goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins," the company said.
To protect Windows users, Microsoft shouldn't wait, but release the patch now, several critics said.
"The flaw is actively exploited on multiple sites, and antivirus provides only limited protection," said Johannes Ullrich, the chief research officer at the SANS Institute. "Active use of an exploit without sufficient mitigating measures should warrant the early release of a patch, even a preliminary, not fully tested patch."
Marx agreed. "As the vulnerability is already known, Microsoft should make this patch available now," he said. System administrators could do their own testing and then apply the patch, Marx and Ullrich said.
Increasingly sophisticated computer code that exploits the Windows flaw has been made publicly available, Symantec said. In response, the security provider raised its ThreatCon global threat index to Level 3.
Microsoft, however, said the threat is limited. "Although the issue is serious, and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks is not widespread," the software maker said in its advisory.
Calculating potential cost
Whether to issue the fix sooner rather than later has to be a matter of risk analysis, CA's Curry said. "They have to balance out what the risk involved with not having a patch for a day or two days is, versus not testing all scenarios. The only thing they could do worse than delaying a patch is if they bring out a bad patch," he said.
Part of the problem is that the Microsoft's software is complicated and vulnerable to unintended side effects of patches, Quandt said. If the company sends out a fix prematurely, the update could cause bugs that affect the normal operation of systems, she said.
Beyond this single instance is what appears to be a wider problem with WMF files, said John Pescatore, a Gartner analyst. Other flaws related to WMF have been put right in recent months, he noted.
"I hope Microsoft is going to fix the underlying problem in how WMF files are handled," he said. "We need a stronger fix, so that we're not going to see another vulnerability like this one two weeks from now."
While Microsoft is testing its patch, users can protect themselves with an unofficial, third-party fix. In an unusual move, some security experts are even recommending that people apply this solution while waiting for Microsoft to deliver the official update.
"We carefully checked this patch and are 100 percent sure that it is not malicious," the SANS Institute's Ullrich said. "The patch is, of course, not as carefully tested as an official patch. But we feel it is worth the risk. We know it blocks all exploit attempts we are aware of."
F-Secure, an antivirus company in Finland, has also tested the fix, created by Ilfak Guilfanov, a programmer in Europe. "We've tested and audited it and can recommend it. We're running it on all of our own Windows machines," said Mikko Hypponen chief research officer at F-Secure.
But Microsoft cautions against Guilfanov's patch. "As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software," Microsoft said.
At least one user has reported difficulties after installing the fix. The update can cause network printing problems, according to an e-mail sent to the Full Disclosure security mailing list.
While some critics have given Microsoft's response to the WMF flaw a failing grade, the company has also gained some respect for its handling of the issue.
"Everybody would like to see the patch as soon as possible, but I can't blame Microsoft for wanting to test it thoroughly," Hypponen said. "However, if a widespread worm is found before next Tuesday, I do believe they will break the cycle and just release the patch."
As the official January patch day is only next week, the length of the wait for the update is fine, Gartner's Pescatore said.
"If we were three weeks, or almost four weeks from the next regular patch cycle, it might be a different story," he said. "This close, most enterprises don't want to go through one patch this week and another next week."
Still, Gartner is urging people to protect themselves while waiting for Microsoft's fix--by blocking access to known malicious sites, for example, Pescatore said. Microsoft also offers some workarounds in its advisory.