Productivity Portfolio

UPDATE: Microsoft has officially released a patch for this issue. If you installed either the unofficial patch or unregistered the DLL, please see instructions here.

In the old days when security problems were detected, a researcher would alert the company about the product flaw. The company would fix the problem before someone else took advantage of the weakness. Now, rogue programmers discover these flaws and release code to take advantage of the weakness without informing the company. That protective time buffer we once had has virtually disappeared leading to these zero-day exploits. Once the exploit code is released, other schemers quickly follow suit and compound the problem until a patch arrives.

Where to Get Reliable Information

One problem with zero-day exploits is many people scramble to inform the public. What exactly is the exploit? What can users do to protect themselves? Who is at risk? Is there a workaround? Sometimes the information is spot-on and sometimes it's spotty. Even I as write this, people are researching the ways people could get infected. It also doesn't help that different organizations call the exploit by different names and provide varying assessments.

What's particularly galling about this WMF exploit is some of the sites who trap you into their ploy inform you that your computer is infected. Next, they offer to sell you a software program to correct the problem. Many people will be thankful they were alerted to these infections and offer up their credit card number to buy the cure. The researchers at Websense Security Labs have a description of the exploit and a 3-minute movie that shows how one exploit works.

Most security vendors have rated this exploit as extremely critical. Microsoft has issued a security advisory (912840) on this issue. One suggested action to minimize this vulnerability is for users to unregister the Windows Picture and Fax Viewer. Microsoft provides instructions in the bulletin, but you will need to have Administrator rights. If you're not sure of the steps or think you've been impacted by this vulnerability, US and Canadian residents can call 1-866-PCSAFETY. Online support is available for other countries.

Some security vendors and bloggers have been issuing information and preventive steps through their sites. Some are more technical than others are:

Update: On 1/2, Jesper Johansson posted and entry on his blog titled, Conscientious Risk Management and WMF. The article is a good read. Jesper is a senior security strategist with Microsoft. As I would expect, he does not advocate installing any unofficial patches. He does offer some good advise on running programs with limited rights.

If you prefer to hear about this exploit, I found two podcasts on the subject:

Finding Trustworthy Sites

The other item you might read in the Microsoft Security Advisory is this statement:

Microsoft has determined that an attacker using this exploit would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability.

I'll be the first to admit that not everyone employs safe surfing habits. However, the folks who devise these schemes also do a good job of using social engineering and other tactics to steer people to sites. I recall a year ago I was listening to music with Yahoo! Messenger. A particular song came on and I used the feature to look up the lyrics. I clicked the wrong lyrics site. Even with a firewall and spyware scanner, I still had to clean crap out of the registry.

I don't recall which lyrics site I visited, but today there is a tool that can help me make a better decision. It's not a cure-all, nor will it prevent the WMF exploit. It does help to steer me away from problem sites. The tool is called SiteAdvisor and is a plug-in for either Microsoft Internet Explorer or Mozilla Firefox. The tool is still in preview mode, but I think it provides useful information even at this early stage. I first read about the tool in an article Ben Edelman's wrote called, Deciding Who To Trust.

The reason I like the tool because it helps me evaluate sites I don't know. This is often the case when you're doing research and jumping from one site to another from a search engine results page. For example, if I were to use Google to search for similar song lyrics as I did a year ago, SiteAdvisor would supplement my search engine results with icons.

Each of the search results displays an icon to the right of the title indicating how SiteAdvisor evaluated the site. A site can either be untested or fall into one of three color coded classifications:

• The green check mark indicates the site has been tested and found to be safe.
• A yellow exclamation mark suggest you use caution
• A red X means use extreme caution

If I place my cursor over the icon, I get an information bubble that offers some quick stats. SiteAdvisor has gathered these stats using an army of web crawlers, virtual machines and one-time email addresses. They analyze and quantify many items ranging from the outbound links in the site to the frequency and types of email received. The data is not real-time, but you can get a sense of when they checked the site based on some of the emails. I think showing the date they scanned the site would be useful.

In most cases, I like to see additional information. Each site has a summary page that can include comments from users as well as the site owner. If you click the more link, you'll get a full page of information. One section I found interesting was the associations between sites. In the example of this lyric site, they had outbound links to sites that were also classified as red. The same color-coding applies in the link analysis.

I can't be certain if any of these sites were the one that caused me havoc last year. I can say there were enough search engine results with green check marks that I could use first.

The toolbar can also assist when you're just browsing a web page. Keep in mind the best time to use the tool is before you visit a site. If there is an exploit that is triggered just by viewing a page without clicking a link, you're too late. SiteAdvisor may properly identify the site once you're there, but it can't prevent the exploit. The best choice would be to click the View Site details option on the toolbar menu and enter in the URL of the site you plan to visit.

The tool works in the same fashion on each browser with the SiteAdvisor button changes color based on the site you're viewing. The main difference is Internet Explorer displays SiteAdvisor at the top whereas it's on the bottom in Firefox. In the screen snap below, I went to www.google.com and opted to see the site summary. This summary provides a good example of email you might receive from Google and the types of files available for download. They also listed a customer service number for Google.

I've been pleased with the results I've seen. Initially, I was concerned the tool would slow down my browser, as it needs to send the URLs back to the SiteAdvisor database to get the data. I've not noticed any slowness with Firefox or Internet Explorer. I did notice on certain forms in Internet Explorer there would be an outline around the fields, bit it was a cosmetic issue.

I think there is a definite need for a tool like SiteAdvisor. The program won't prevent exploits, but can provide essential information on a site to assist you. It's still up to you to decide whether you want to go to the site. I don't think the search engines can evaluate sites in the same manner.

As this latest exploit shows, we need to be very careful where we go on the web. This exploit should also remind us to keep our software, firewall, anti-virus, and spyware scanners up to date. If you want to use this tool, the company is looking for testers. You can sign up to evaluate the preview version or be notified of their public launch. Until then, happy surfing.