Help is on the way for the WMF vulnerability

Microsoft has updated Security Advisory 912840, which provides details of the WMF exploit that was sprung on an unsuspecting world last week. The good news? A patch will be available in one week:

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

The level of hysteria over the WMF exploit is getting a little silly. Yes, it’s a zero-day exploit, which is a very bad thing. But the drumbeat that this will be “the mother of all Internet worms” has been spreading. Even the normally down-to-earth crew at SANS has melted down. And yet, as Larry Seltzer at eWeek points out, Microsoft’s deliberate pace seems correct. Major antivirus software vendors, who are usually ready to hit the panic button (and sell a lot of software) at the slightest provocation, are surprisingly low-key:

[I]t’s Monday morning, Jan. 2, and none of the major anti-virus has a serious alert up. McAfee, Symantec, Trend and Panda all show no alarm, and the ones that have a general level of alertness are all showing a low level. Panda can usually be counted on for some hysteria at a time like this, and Computer Associates doesn’t even seem aware of the threat on its site.

There is F-Secure, who is showing a Level 2 (out of 3) alert. F-Secure has been on top of this situation from the very beginning …

As I pointed out in an earlier piece, actual testing of 73 variants of this threat shows excellent protection common among anti-virus vendors. As of Saturday morning, the 100 percent list included AntiVir, Avast, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO, eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman, Panda, Sophos, Symantec, Trend Micro and VirusBuster. If you’re a user of one of these products and you keep your anti-virus updated, odds are good that you’re protected against any exploits you’re likely to see.

And as one of the anti-virus vendors pointed out to me, there may be dozens of variants out there and a first attempt at an IM worm, but there is no major attack yet. In other words, there may be a major vulnerability, but there is no major exploit, and you’re unlikely to encounter one unless you spend a lot of time on porn sites or already are running adware.

So let’s review:

• Disabling the Windows Picture and Fax Viewer is a proven workaround for all variants to date.
• If you’re running auto-updating antivirus software from a major vendor, it’s able to detect and block all known variants of this exploit.
• The average person is extremely unlikely to get hit with this thing in everyday browsing.
• No one has come up with an e-mail-based vector yet, aside from the usual spammy attempts to entice you to a shady Web site.

In short, it’s not time to panic. I directly support about a dozen users – family and friends. None of them are shy about calling for help, and none of them have encountered this exploit. I have an extended family of correspondents who reach out when they encounter viruses and spyware. I haven’t heard a word from them. In fact, although lots of security sites are finding examples of this exploit in the usual dark corners of the Web, no one has reported widespread infections. The updated security bulletin confirms what the antivirus companies are saying:

Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread.

In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures.

One skilled and apparently trustworthy coder has released an unauthorized patch for this vulnerability. SANS recommended that everyone install it. I haven’t recommended this patch, because in my view the risk is greater than the benefit. I think Microsoft has made a perfectly reasonable trade-off in developing and testing this patch. A seemingly small change can have a ripple effect in unexpected places. The nightmare scenario is a poorly tested patch that renders a system unstable or causes data loss.

If this had been the Slammer worm, which spread like wildfire over the Internet back in 2003, a more aggressive approach would be called for. In this case, I think the response from Microsoft has been appropriate.