Microsoft's plans to hold the release of an urgently needed patch until next Tuesday does not sit well with security experts.
The fix is for an extremely critical glitch in the Windows Meta File software. Security firms are urging IT managers to take serious precautions in the next few days while they wait for the patch.
Several companies have raised their alert and threat levels in response to the lapse in time before the patch is released. Cupertino, Calif.-based antivirus firm Symantec Corp. has raised its ThreatCon status to Level 3 on a 1-to-4 scale. The firm has not placed its threat level at 3 since July 2004 during the MyDoom attack.
"What makes this special is there are a lot of systems that could be exploited," said Jonah Paransky, a senior manager with Symantec. "Will there be a widespread attack? We don't know. Could there be one? Certainly."
Pointing to the quick nature of exploits once a vulnerability has been found, Paransky said waiting for four or five days for a patch is an eternity in some enterprise environments. "The average time between a vulnerability ID and a patch from a vendor is 42 days," he said. "The average time for an exploit to be released in response to a vulnerability is six days."
Other antivirus experts are also urging vigilance for IT administrators. Carole Theriault, a security consultant with U.K. firm Sophos Plc, said there are already a few hundred exploits trying to take advantage of the glitch. The exploits are arriving in e-mail, instant messaging and through Web browsing. Sophos has moved its threat level warning from low to medium-high.
"The likeliest scenario is that you would receive an unsolicited e-mail, which would then attempt to entice you to click on a link," said Theriault. "The link would bring you to a compromised Web page, which would attempt to exploit the vulnerability."
Finnish security firm F-Secure Corp. has raised its Radar Alert to its second highest level. Mikko HyppÖnen, the company's antivirus research director, was hesitant to get into scenarios because of the massive risk. HyppÖnen said he was especially concerned because almost all Windows machines are vulnerable.
"We're afraid of an e-mail worm that would use image files to spread. If that would happen, it would be a massive, global outbreak almost immediately," he said.
SANS Internet Storm Center (ISC) in Bethesda, Md., is hosting an online poll to gauge how users have been impacted so far by the WMF vulnerability. According to results on Wednesday, 11% of respondents had already been hit by some infection. However, the large majority, 78%, had not seen an exploit yet.
"Given that the vulnerability can spread through e-mail and does not require any user interaction, there is a real potential for a mass outbreak via e-mail," said SANS chief research officer Johannes Ullrich. "I don't think a 'blaster type' attack is possible, but something like 'zotob' is possible."
While they wait for Tuesday's fix, antivirus experts advise managers to educate users about what sites they visit and what e-mail attachments they open. Symantec's Paransky said managers should go a step further and block access to untrustworthy sites if possible.
"This is not a time for users to go plumbing the depths of the Internet," said Paransky. It's like dangerous neighborhoods -- there are times when you may feel safe visiting them. But right now, don't go there."