G
Guest
NEW YORK (Dow Jones)--Microsoft Corp. (MSFT) plans to release a patch for a
new security flaw at its next scheduled update release on Jan. 10, leaving
users largely unprotected until then from a rapidly spreading computer virus
strain.
"Microsoft's delay is inexcusable," said Alan Paller, director of research
at computer security group SANS Institute. "There's no excuse other than
incompetence and negligence."
"It's a problem that there's no known solution from Microsoft," said Alfred
Huger, senior director of engineering at Symantec Corp.'s (SYMC) security
response team.
SANS Institute, via its Internet Storm Center, has taken the unusual step of
releasing its own patch for the problem until a Microsoft-approved fix is
available. "It's not something we like to do," said Paller.
The Internet Storm Center, which tracks viruses and other outbreaks on the
Web, increased the threat level to "yellow" - a warning that means a
significant new threat is developing.
Microsoft said evaluation and testing affect the timing of security patches.
"Creating security updates that effectively fix vulnerabilities is an
extensive process. There are many factors that impact the length of time
between the discovery of a vulnerability and the release of a security
update," Microsoft said in a security advisory on its Web site.
"Quality is the gating factor," said a Microsoft spokeswoman. The company
views the issue as "serious," but believes that "the scope of the attacks is
not widespread," she added.
The attack is the latest to hit Microsoft, despite redoubled efforts to
respond to security threats. With more than 90% of personal computers running
Windows, it represents the biggest target for hackers.
The virus began spreading last week, as hackers took advantage of a
previously unknown flaw in Windows Meta File code in what is known as a
"zero-day attack."
The small amount of code in the virus can call down other programs that
could install spyware to steal personal data or turn a system into a "bot" (a
computer controlled by hackers).
"The flaw is fairly significant in terms of its reach," said Alain Sergile,
product manager at Internet Security Systems Inc.'s (ISSX) X-Force threat
analysis service.
The bug was found in current server and desktop versions of Windows and is
considered serious because it requires relatively minor user interaction to
be unleashed. The virus is carried in picture files and can be triggered if
an image is viewed in an email or on an infected Web site. It is also being
distributed through Instant Messenger.
Johannes Ullrich, chief research officer at SANS Institute, said there are
hundreds of Web sites that carry the infected images, and he's tracking the
possibility that an online ad service is serving up infected image files. He
says 5% to 10% of users appear to be infected, "an order of magnitude more
than other attacks."
Google Inc.'s (GOOG) desktop search tool can also trigger the virus as it
indexes files on a computer, even if the image hasn't been viewed by the
user.
The virus takes advantage of the way Windows processes Windows Meta Files,
or WMF, images. These file types can carry more common .jpg extensions, but
still carry the malicious code.
Microsoft recommends users unregister a file called shimgvw.dll. "While this
workaround will not correct the underlying vulnerability, it helps block
known attack vectors," the software maker says in its security advisory.
Security experts are advising people to turn off preview panes in email
programs like Outlook and be very careful about what web sites they visit and
what emails they open.
-By Chris Reiter, Dow Jones Newswires; 201-938-5244;
(e-mail address removed)
new security flaw at its next scheduled update release on Jan. 10, leaving
users largely unprotected until then from a rapidly spreading computer virus
strain.
"Microsoft's delay is inexcusable," said Alan Paller, director of research
at computer security group SANS Institute. "There's no excuse other than
incompetence and negligence."
"It's a problem that there's no known solution from Microsoft," said Alfred
Huger, senior director of engineering at Symantec Corp.'s (SYMC) security
response team.
SANS Institute, via its Internet Storm Center, has taken the unusual step of
releasing its own patch for the problem until a Microsoft-approved fix is
available. "It's not something we like to do," said Paller.
The Internet Storm Center, which tracks viruses and other outbreaks on the
Web, increased the threat level to "yellow" - a warning that means a
significant new threat is developing.
Microsoft said evaluation and testing affect the timing of security patches.
"Creating security updates that effectively fix vulnerabilities is an
extensive process. There are many factors that impact the length of time
between the discovery of a vulnerability and the release of a security
update," Microsoft said in a security advisory on its Web site.
"Quality is the gating factor," said a Microsoft spokeswoman. The company
views the issue as "serious," but believes that "the scope of the attacks is
not widespread," she added.
The attack is the latest to hit Microsoft, despite redoubled efforts to
respond to security threats. With more than 90% of personal computers running
Windows, it represents the biggest target for hackers.
The virus began spreading last week, as hackers took advantage of a
previously unknown flaw in Windows Meta File code in what is known as a
"zero-day attack."
The small amount of code in the virus can call down other programs that
could install spyware to steal personal data or turn a system into a "bot" (a
computer controlled by hackers).
"The flaw is fairly significant in terms of its reach," said Alain Sergile,
product manager at Internet Security Systems Inc.'s (ISSX) X-Force threat
analysis service.
The bug was found in current server and desktop versions of Windows and is
considered serious because it requires relatively minor user interaction to
be unleashed. The virus is carried in picture files and can be triggered if
an image is viewed in an email or on an infected Web site. It is also being
distributed through Instant Messenger.
Johannes Ullrich, chief research officer at SANS Institute, said there are
hundreds of Web sites that carry the infected images, and he's tracking the
possibility that an online ad service is serving up infected image files. He
says 5% to 10% of users appear to be infected, "an order of magnitude more
than other attacks."
Google Inc.'s (GOOG) desktop search tool can also trigger the virus as it
indexes files on a computer, even if the image hasn't been viewed by the
user.
The virus takes advantage of the way Windows processes Windows Meta Files,
or WMF, images. These file types can carry more common .jpg extensions, but
still carry the malicious code.
Microsoft recommends users unregister a file called shimgvw.dll. "While this
workaround will not correct the underlying vulnerability, it helps block
known attack vectors," the software maker says in its security advisory.
Security experts are advising people to turn off preview panes in email
programs like Outlook and be very careful about what web sites they visit and
what emails they open.
-By Chris Reiter, Dow Jones Newswires; 201-938-5244;
(e-mail address removed)
