Microsoft WMF Vulnerability: Business Impact

January, 2006

As most IT security professionals know, Microsoft disclosed a new Windows vulnerability last month. The vulnerability is the way in which the operating system handles the Windows Metafile (WMF) format when it encounters an error in the file.

Technical details of the vulnerability are already being covered by the technology press and are not repeated here. This article summarizes the characteristics of the threat that give it the potential for a large economic impact on business. We will update this article as new information is available.

The Threat
New security holes in Windows are announced nearly every month. But the WMF vulnerability is particularly dangerous for three reasons. 

  • Scope. The vulnerability exists in all versions of Windows in use today, from Windows 98 to Windows XP as well as all versions of Windows server operating systems, from Windows NT through Windows Server 2003. Switching from Internet Explorer to a non-Microsoft web browser such as Firefox does not provide protection.
  • Mode of infection. It doesn’t take much effort on the part of users to be infected by malware that exploits the WMF vulnerability. Users need only to view a web page or open an email that contains a malformed WMF file. Infected WMF files are also being spread through instant messaging systems. A system can be penetrated by a user merely viewing an infected email in preview mode. If the user is running a desktop search program, such as Google’s, the system will be infected without any user action at all, when the search program indexes an unread email that includes the infection.
  • Lack of a timely fix. The WMF vulnerability is a so-called “zero day exploit,” one where the vendor has not released a patch at the time that the vulnerability is discovered.

These three characteristics are a combination that could lead to major infections of malware in 2006 based on this vulnerability. We discuss the potential impact on business later in this article.

Microsoft’s Fix and Temporary Workarounds
On January 5, 2006, Microsoft released a security bulletin at that includes a fix for the WMF vulnerability. Unfortunately, this still left a period of over one week between the time that the vulnerability was announced by Microsoft and the time an official fix was available.

During the interim, a European programmer, Ilfak Guilfanov, released a hotfix for the WMF vulnerability (link removed, since the Microsoft fix is now available). Guilfanov is a senior developer at DataRescue in Liege, Belgium. Security company F-Secure successfully tested Guilfanov’s hotfix, and, as a vote of confidence, installed it on its own computers. The SANS Internet Storm Center also recommended Guilfanov’s patch as an interim fix.

Malware security providers such as Norton, McAfee, and F-Secure have also provided updates to defend against specific malware attacks based on the WMF vulnerability as they are discovered in the wild. But if a user does not apply the Microsoft patch, virus protection programs will only defend against specific malware entities that exploit the vulnerability. They do not close the vulnerability itself. The good news is that, so far, the antivirus vendors appear to be staying ahead of the malware writers and massive corporate infections have not yet been reported. That may change, however, if businesses are slow to apply Microsoft’s patch and a malware entity slips past corporate virus protection.

Impact on Business
There are already at least 57 malware entities released in the wild that exploit the WMF vulnerability, which began to be released over the slow holiday period between Christmas and New Year’s Day. Infections are already spreading.  According to Computerworld on January 3, “Staff at McAfee Inc.’s Avert security research lab report that 7.45% of users of the company’s retail security products were found to have computers infected with malicious programs through the WMF exploit as of today. That’s up from 6% of users on Saturday.”

We believe that the growing infection rate is an indication that one or more of the WMF malware entities have the potential to become major new general malware attacks in 2006. We define a general malware attack as one that is intended to infect a large number of computer users generally and overtly, without targeting specific users or organizations.

Computer Economics projects that the worldwide economic impact from a single general malware attack based on the WMF vulnerability could exceed $1 billion US. Additionally, the collective impact of all attacks exploiting this vulnerability has the potential to surpass Netsky in damages, which we estimate to have reached approximately $3.75 billion for 2004 and 2005 combined.

We anticipate that businesses, especially those that do not have strong centralization of desktop administration, will be hard hit.  Large businesses, which need to plan and deploy updates to thousands of desktops, can take weeks to apply “official” patches from Microsoft, and they are often reluctant to apply unofficial patches or workarounds. The widespread use of laptop computers compounds the difficulty in quickly applying fixes, as mobile users may not connect to the corporate network in time to have any patch or workaround pushed to the laptop operating system before the infection hits.

Beyond general malware events, it will be of great concern whether criminals will use the WMF vulnerability to design targeted, covert attacks on specific organizations for financial gain or espionage. Such targeted attacks are on the rise and now represent a potentially greater economic impact if an organization is unlucky enough to be a target.

January 2006

For more information on the financial effect of malware on business, and trends in general and targeted attacks, please refer to our recent study, 2005 Malware Report: The Impact of Malicious Code Attacks, which is now available on our website.

This report breaks down the total financial impact malware on businesses by type of cost, based on our interviews and surveys of IT security professionals over the past year. It also highlights the major malware events of 2005, and tracks the worldwide economic impact of viruses, worms, trojans, and other malicious code attacks since 1999. IT executives will find this study a valuable source of economic statistics for justifying new IT investments that harden the IT infrastructure against malware attacks.