How the Brits are reporting the .WMF flaw

["Richard M. Smith" <rms () computerbytesman com>]

http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html
 
Windows PCs face ‘huge’ virus threat
By Kevin Allison in San Francisco
Published: January 2 2006 18:18 | Last updated: January 2 2006 22:19
  <http://news.ft.com/c.gif> 

 microsoft windows graphic
<http://news.ft.com/cms/178289de-c12b-11d8-9146-0003ba5a9905.jpg> Computer
security experts were grappling with the threat of a newweakness in
<http://mwprices.ft.com/custom/ft-com/quotechartnews.asp?FTSite=FTCOM&q=MSFT
&searchtype&expanded=&countrycode=us&s2=us&symb=MSFT&company=NEW>
Microsoft’s Windows operating system that could put hundreds of millions of
PCs at risk of infection by spyware or viruses.

 

The news marks the latest security setback for Microsoft, the world’s
biggest software company, whose Windows operating system is a favourite
target for hackers.

“The potential [security threat] is huge,” said Mikko Hyppönen, chief
research officer at F-Secure, an antivirus company. “It’s probably bigger
than for any other vulnerability we’ve seen. Any version of Windows is
vulnerable right now.”

The flaw, which allows hackers to infect computers using programs
maliciously inserted into seemingly innocuous image files, was first
discovered last week. But the potential for damaging attacks increased
dramatically at the weekend after a group of computer hackers published the
source code they used to exploit it. Unlike most attacks, which require
victims to download or execute a suspect file, the new vulnerability makes
it possible for users to infect their computers with spyware or a virus
simply by viewing a web page, e-mail or instant message that contains a
contaminated image.

“We haven’t seen anything that bad yet, but multiple individuals and groups
are exploiting this vulnerability,” Mr Hyppönen said. He said that every
Windows system shipped since 1990 contained the flaw.

Microsoft said in a security bulletin on its website that it was aware that
the vulnerability was being actively exploited. But by early yesterday, it
had not yet released an official patch to correct the flaw. “We are working
closely with our antivirus partners and aiding law enforcement in its
investigation,” the company said. In the meantime, Microsoft said it was
urging customers to be careful opening e-mail or following web links from
untrusted sources.

Meanwhile, some security experts were urging system administrators to take
the unusual step of installing an unofficial patch created at the weekend by
Ilfak Guilfanov, a Russian computer programmer.

Concerns remain that without an official patch, many corporate information
technology systems could remain vulnerable as employees trickle back to work
after the holiday weekend. 

“We’ve received many e-mails from people saying that no one in a corporate
environment will find using an unofficial patch acceptable,” wrote Tom
Liston, a researcher at the Internet Storm Center, an antivirus research
group. Both ISC and F-Secure have endorsed the unofficial fix.

Microsoft routinely identifies or receives reports of security weaknesses
but most such vulnerabilities are limited to a particular version of the
Windows operating system or other piece of Microsoft software. In recent
weeks, the company has been touting its progress in combating security
threats. 

The company could not be reached on Monday for comment.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.