Posted on 01/02/2006 3:54:03 PM PST by Swordmaker
Computer security experts were grappling with the threat of a newweakness in Microsoft’s Windows operating system that could put hundreds of millions of PCs at risk of infection by spyware or viruses.
The news marks the latest security setback for Microsoft, the world’s biggest software company, whose Windows operating system is a favourite target for hackers.
“The potential [security threat] is huge,” said Mikko Hyppönen, chief research officer at F-Secure, an antivirus company. “It’s probably bigger than for any other vulnerability we’ve seen. Any version of Windows is vulnerable right now.”
The flaw, which allows hackers to infect computers using programs maliciously inserted into seemingly innocuous image files, was first discovered last week. But the potential for damaging attacks increased dramatically at the weekend after a group of computer hackers published the source code they used to exploit it. Unlike most attacks, which require victims to download or execute a suspect file, the new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.
“We haven’t seen anything that bad yet, but multiple individuals and groups are exploiting this vulnerability,” Mr Hyppönen said. He said that every Windows system shipped since 1990 contained the flaw.
Microsoft said in a security bulletin on its website that it was aware that the vulnerability was being actively exploited. But by early yesterday, it had not yet released an official patch to correct the flaw. “We are working closely with our antivirus partners and aiding law enforcement in its investigation,” the company said. In the meantime, Microsoft said it was urging customers to be careful opening e-mail or following web links from untrusted sources.
Meanwhile, some security experts were urging system administrators to take the unusual step of installing an unofficial patch created at the weekend by Ilfak Guilfanov, a Russian computer programmer.
Concerns remain that without an official patch, many corporate information technology systems could remain vulnerable as employees trickle back to work after the holiday weekend.
“We’ve received many e-mails from people saying that no one in a corporate environment will find using an unofficial patch acceptable,” wrote Tom Liston, a researcher at the Internet Storm Center, an antivirus research group. Both ISC and F-Secure have endorsed the unofficial fix.
Microsoft routinely identifies or receives reports of security weaknesses but most such vulnerabilities are limited to a particular version of the Windows operating system or other piece of Microsoft software. In recent weeks, the company has been touting its progress in combating security threats.
The company could not be reached on Monday for comment.
ping.
Every version of Windows released since 1990 is affected.
The internet is going to be a might plain looking place without any graphics...
In other news, water is wet, the sky is blue, and women are hard to understand sometimes.
People need to switch over to Mac.
Reminds me one more time why I love my Mac!
Wanted to ask anyone if turning off pictures from laoding in IE helps getting infected.
Windows WMF Vulnerability News & Updates
Steve Gibson is trustworthy.
what's the bug? does it only affect web images loaded into Internet Explorer, or is any browser vulnerable?
As noted on earlier threads, there is a temporary fix at:
http://www.grc.com/sn/notes-020.htm
Bookmark the page, so you can restore this function after Microsoft issues the patch. Gibson is reliable, and explains how to temporarily disable this function and re-enable it after the fix comes out.
helps getting infected = helps from getting infected.
Every version might be affected, but processors that support Data Execution Prevention aren't affected. AMD and Intel users with hardware DEP can turn it on and forget about it.
Apparently any application that uses the Windows dispay graphic DLLs is vulnerable.
Errr, I thought the flaw was in .wmv files, quit downloading porn and music files until the patch comes out.....problem solved.
Any browser, any image viewer amd email program is vulnerable. Windows Explorer browser is vulnerable.
The only reason MACs don't have viruses is that nobody targets them.
Software is software. If someone wanted to exploit the MACOS, they could.
Please put a caveat that there are currently no fixes for Windows 98, 98 SE and ME.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.