Shifting Threats Challenge Microsoft’s Response to Exploits

Is Microsoft prepared to handle the coming wave of security threats? On Dec. 27, a potentially dangerous zero-day exploit struck Windows-based PCs and servers. Leveraging an unreported vulnerability in the Windows graphics handling engine, the attack uses specifically tailored Windows Meta File (WMF) graphics to inject executable code into PCs. Most concerning, the exploit requires no user interaction. If you view an infected image with Internet Explorer, your system can be compromised.

The WMF zero-day exploit represents an important shift in the nature of malware threats, where IT managers have little or no warning about an exploit attacking a system vulnerability. More troubling, the WMF zero-day exploit may have revealed some significant issues in the way Microsoft itself deals with time-critical threats.

On Jan. 3, a full week after the WMF exploit was discovered, Microsoft released a statement that read: "Microsoft has completed development of a security update to fix the vulnerability and that update is now being finalized through testing to ensure quality and application compatibility. Microsoft's goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins on the second Tuesday of the month, although quality is the gating factor."

Michael Cherry, lead analyst for Windows and Mobile at Directions on Microsoft, says the Microsoft Security Response Center team dropped the ball by opting to wait for Patch Tuesday. "They have to be willing to modify their procedure based on the risk of the exploits," he says.

"Security monitoring and training outfit The SANS Institute estimates that the exploit has been used to install bot software on about 1 million PCs."

And that risk was very high. Security firms tracking the threat found that the WMF exploit was being used to install several different adware and spyware packages onto PCs. Security monitoring and training outfit The SANS Institute estimates that the exploit has been used to install bot software on about 1 million PCs.

To its credit, Microsoft issued an "out-of-band" update on Jan. 5 that plugged the hole, rendering the threat inert in patched systems. But Cherry says the change of heart may have been driven by more than security concerns.

"They were concerned about the uptake of the third-party patch," Cherry says, referring to an independently crafted fix for the vulnerability. "Anecdotally, it looked to me that people were seriously considering implementing the third-party patch. I was surprised by that personally."

Johannes Ullrich wasn't. The chief technical officer at The SANS Institute says the unofficial patch was downloaded about 275,000 times from his organization's Web site. Ullrich says the heavy interest shows that Microsoft badly miscalculated the threat posed by the WMF exploit.

"They basically just didn't get the exploit or the severity of it," he says. "Talking to them was frustrating because they didn't have anyone around who had used the exploit and played with it."

Microsoft, for its part, is working to write more secure code. The company's Security Development Lifecycle (SDL) process helps developers analyze, detect and harden areas of code being targeted by attackers. The result, says a Microsoft spokesperson, is measurably improved security.

"Microsoft has used the SDL on many products, including Windows Server 2003, SQL Server 2000 SP3, and Microsoft Exchange Server SP3. Windows Server 2003 was the first operating released at Microsoft that implemented large portions of the SDL, and compared to Windows 2000, it had 63 percent fewer vulnerabilities in the first year."

The spokesperson also notes that security bulletins for SQL Server 2000 dropped sharply after the release of the SDL-tuned SP3.

In a blog posting at the Microsoft TechNet site, Mike Nash, the corporate vice president responsible for security at Microsoft, says his team sought to balance the need for a fully qualified patch against the risk of exposure and the inconvenience of installing an out-of-band release. Nash credits customer requests for an immediate fix.

About the Author

Michael Desmond is an editor and writer for 1105 Media's Enterprise Computing Group.


  • Gears

    Top 10 Microsoft Tips and Analyses of 2018

    Here are the year's most popular explainers and how-to columns -- along with some plain, old "Why did Microsoft do that?" musings thrown in.

  • Sign

    2018 Microsoft Predictions Revisited

    From guessing the fate of Windows 10 S to predicting Microsoft's next big move with Linux, Brien's predictions from a year ago were on the mark more than they weren't.

  • Microsoft Recaps Delivery Optimization Bandwidth Controls for Organizations

    Microsoft expects organizations using its Delivery Optimization peer-to-peer update scheme will optimally see 60 percent to 70 percent improvements in terms of network bandwidth use.

  • Getting a Handle on Hyper-V Virtual NICs

    Hyper-V usually makes it easy to configure virtual network adapters within VMs. That is, until you need to create a VM containing multiple virtual NICs.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.