Windows users swamp WMF patch site
Site hosting unauthorized protection against Microsoft flaw goes offline after "half the planet" tries to download the fix.
Ilfak Guilfanov's personal Web site was switched off by his hosting provider on Wednesday morning after hordes of Microsoft users scrambled to download his unofficial patch against the WMF vulnerability, according to antivirus company F-Secure.
The site was temporarily closed as "half the planet tried to download WMFFIX_HEXBLOG.EXE" F-Secure reported in its blog.
At the time of writing, the unofficial patch is again available from Guilfanov's site. It's also available from the Sunbelt Blog.
Microsoft has advised businesses not to use the patch, as the company cannot guarantee it will work. But with no official patch due to be released until next week, security experts are urging businesses to use the unofficial patch because of the serious nature of the WMF vulnerability.
The WMF flaw can be used by malicious software to surreptitiously install spyware on a user's PC or allow a hacker to control the machine remotely.
Several attacks have been detected since late December, and on Wednesday, experts detected another Trojan horse that exploits the flaw. F-Secure warned that the Trojan was spreading in spam e-mails labeled as coming from Yale University.
To minimize risk from the Trojan, system administrators have been advised by F-Secure to block user access to the following:
• HTTP access to playtimepiano(dot)home(dot)comcast(dot)net
• TFTP (ie. UDP) access to 86.135.149.130
• IRC access to 140.198.35.85:8080
• IRC access to 24.116.12.59:8080
• IRC access to 140.198.165.185:8080
• IRC access to 129.93.51.80:8080
• IRC access to 70.136.88.76:8080
F-Secure warned businesses and system administrators not to visit the HTTP address.