Of Vultures and Vulnerability

The last IT Security headline of 2005 was referred to in Europe as the greatest security threat ever. There was less hyperbole in the US press about it, but it was acknowledged as very serious. The problem was yet another defect in Microsoft Windows. This time it was a problem with Windows Metafiles (WMF) files. The security vulnerability a buffer overflow problem – was in the Windows graphics rendering engine that processes WMF files.

It is possible to exploit the weakness using a WMF file, because such files can contain program code and if code is inserted to exploit the buffer overflow, the graphics engine will execute it. The reason that this particular problem is more serious than usual is that WMF files are used everywhere. They are often embedded on web pages or in emails and processed automatically by the graphics rendering engine without the user even being asked. Ironically, the problem comes from WMF capability that is probably redundant allowing custom abort code to be added to a graphics file and dates back to a very old release of Windows (Windows 3.0, released in 1990) which was created long before Microsoft cared much about security.

The headline of greatest security threat ever clearly comes from the fact that it is so easy to get infected by any software that tries to exploit this vulnerability. It could be spread by almost any medium, including highly effective media like email and web pages. However, when it was first announced there were, in fact, very few hackers exploiting it. It was spotted by F-Secure on December 27th when the company detected hackers using the weakness to plant Trojans.

The Internet Vultures

Other antivirus companies were quick to alert their users. Symantec raised its threat alert level to its highest point in 16 months in response to the bug and openly criticized Microsoft for not responding quickly enough. So why the immediate panic?

The sad truth is that nowadays, there is a population of Internet vultures that simply wait for a new vulnerability to emerge anywhere in any software and rush in to exploit it. In this instance, according to Thomas Liston, an incident handler with the SANS Internet Storm Center in Bethesda, Maryland, hundreds of web sites immediately began to exploit the flaw. To add to this, hackers quickly became active, attempting to exploit the vulnerability through instant messaging. The usual digital felons piled in, as they now do when any new vulnerability appears. They use such opportunities to infect PCs with Trojans in order to create zombie networks from which to launch anything what has become a wide variety illegal activity; spam, phishing, pharming, denial of service attacks, advertising scams, ebay scams, targeted fraud, etc.

This crowd of vultures is not going to disappear until such activity ceases to offer such an attractive risk/reward ratio, and as far as I can tell, this is going to be a long while yet – quite a few years. Why? Because there is a fundamental problem with the Internet itself. Quite simply the Internet arrived without any means of authentication built in. You have no easy way of authenticating a computer you connect to or one that connects to you. So it is actually very simple for anyone who wants to, to mask or completely hide their identity. It is possible for collaborating businesses to implement an authentication scheme, jointly but there is no general service that can be used to reveal the vultures for what they are. No such service will be available until the new version of the Internet Protocol (IPv6) is generally adopted and that is still years away.