You Got Served, and You Had No Idea?
Making sure your computer has the latest patches installed is probably one of the most important safe computing practices. Unfortunately, many people outside the security community fail to understand why this is so critical. I can’t think of a better illustration of why this practice is so important than the recent use of MySpace to serve up banner ads that exploit the Windows metafile format (WMF) flaw.
Let me explain what happened. Back in December 2005, a vulnerability was discovered in the way Windows operating systems handled WMF images. If an image was maliciously crafted and you simply viewed it in an unpatched version of Windows, attackers could get your computer to execute any instructions they wanted it to. And, you would have no idea. As you can imagine, such a vulnerability has serious repercussions. Anyone with an unpatched computer who so much as visits a Web site containing a malicious WMF image (or in some cases, views an email that contains the image) will end up with an immediately infected computer that will come under the control of an attacker. At this point an attacker could record any passwords, credit card numbers, or bank account numbers that are entered, among several other nasty acts. Fortunately for all of us who downloaded it, Microsoft issued a patch in fairly short order.
Fast forward to July 2006. Michael La Pilla (a spyware analyst for iDefense) was surfing the Web on a Linux machine and viewing some pages on MySpace. One of the pages contained a banner advertisement formatted as a WMF file. Much to his surprise, La Pilla found that the banner advertisement exploited the above-mentioned WMF vulnerability. What is even scarier is the estimate that this banner ad has been served upwards of one million times to unsuspecting users. If any of these people used an unpatched Windows machine to go to a page that simply contained the ad, their computer would then be at the whim and mercy of the attacker who created the ad (regardless of what Web browser they were using). How many of these one million people surfed the Web using an appropriately patched version of Windows? Probably not nearly enough of them.
It’s easy to point the finger and blame different parties for what has happened. Unfortunately, as things currently stand, the end user is the one who has to pay the price. So, before you log on to check your bank balance or take a look at how your stock portfolio is doing, make sure your machine is fully patched first.