Did the BugBlog help you? Donate via PayPal to say thanks.

Even better, subscribe to the BugBlog Plus for even more coverage of bugs and their fixes.

Order books and more at Amazon.com

Order Windows 2000 Secrets from Amazon.com

BugBlog Bug of the Month

Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting bug. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.

The Bug of the Day for January, 2006 was written on December 31, just making it under the wire to qualify. It belongs to Microsoft.

Microsoft interrupts everyone's vacation with news of another vulnerability that could load hostile content onto your computer via a Windows Metafile graphic. The graphic would be hosted on a website, but Microsoft says a user would have to visit the website by clicking on a link -- they could not be forced onto the site. There are reports that code to exploit this are already circulating on the Internet. Microsoft has a bulletin at http://www.microsoft.com/technet/security/advisory/912840.mspx, which will get updated later.

Why this bug? First is the scope -- it affects all Windows users, all versions, from Windows Server 2003 and Windows XP Service Pack 2, all the way back to Windows 98. Second is the relative ease in which an attack using this bug could be triggered. The December 31 report was written before the full scope was known to the public. You could actually be affected via a website, via email, or even just looking at a thumbnail of the graphic file in Windows Explorer. The third reason for picking this is the reaction -- mounting criticism of Microsoft's effort forced the company to release a patch early for the bug.

This is how the rest of the story played out in the BugBlog.

On January 3 came these two entries

The Microsoft WMF bug, from the 12/31 BugBlog, is being taken advantage of by adware vendors and others who don't have your best interests at heart. A round-up story in eWeek at http://www.eweek.com/article2/0,1895,1907102,00.asp shows that anti-virus vendors are catching up, but don't offer blanket immunity. Disabling the buggy DLL from Microsoft offers a temporary patch, by preventing Windows Picture and Fax Viewer from opening. It may be possible for this security breach to be exploited by third-party programs that open WMF files. See details, and limitations, of this workaround in the eWeek story.

Microsoft says they will not be releasing their fix for the WMF (Windows Metafile) bug until their regular Patch Tuesday release of January 10. I guess they aren't worried that it’s a very serious security bug that is very easy to exploit. There is an unofficial patch from the Internet Storm Center at SANS. While the patch was developed by a volunteer, it has been tested at SANS, and the source code is available. Get it at http://isc.sans.org/diary.php?storyid=1010. Keep on reading the coverage by the Internet Storm Center for a very good FAQ on the problem. The information they give is much more detailed than what you are getting from Microsoft.

On January 4

At least 70 different IM (Instant Messaging) attacks have been catalogued that attempt to exploit the bug in Microsoft Windows WMF (Windows Metafile) format. Sending an infected file via IM, or sending a link to a website with an infected file, are how IM is used for the attack. Email and websites will be the other common ways to exploit this. Read more at http://www.computerworld.com/securitytopics/security/holes/story/0,10801,107455,00.html.

On January 5

Most anti-virus programs are catching malicious content trying to sneak in through Microsoft's unpatched WMF (Windows Metafile) bug. Microsoft still insists on waiting till January 10 to patch this dangerous bug, while an unofficial but safe patch is available from the Internet Storm Center at http://isc.sans.org/diary.php?storyid=1010. In the meantime, independent testing shows that Symantec and McAfee were able to catch all 206 of the test files; most other AV vendors, with the exception of Trend Micro, also did well. Read these results at
http://news.zdnet.com/2100-1009_22-6018696.html.

On January 6 came the fix

If enough people complain, I guess that Microsoft will change its mind. The patch for the very dangerous WMF (Windows Metafile) bug was released early, on 1/5/2006. The patch, for Windows 2000, Windows XP, and Windows Server 2003, is a Critical Update that will prevent remote attackers from possibly taking over your computer after you view a WMF graphics file on your computer, in an email, or on a webpage. Get the update at http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx. Now that the "official" patch is out, you will not need the unofficial patch available from the Internet Storm Center.

Previous Bugs of the Month

Dec 2005: Sony's Secret DRM Scheme Leaves Users Exposed

November 2005: Four Separate Bugs Leave Windows Open to Takeover

October 2005: Acrobat Screws Up MS Word

September 2005: Apple Security Update Breaks 64-bit Apps

August 2005: Cisco IOS Vulnerable to IPv6 bug

July 2005: RealNetworks Fixes Four Bugs in Their Media Player

June 2005: Flawed Rollout for Netscape 8

May 2005: TCP/IP Fix for Windows

April 2005: Denial of Service against Symantec Norton AntiVirus

March 2005: IDN Spoofing Bug

February 2005: Windows Animated Cursor Bug

January 2005: Windows Firewall Problems with Dial-up connections

The Bug of the Month is also posted at Blogcritics.org