The Student News Site of Palo Alto High School

The Paly Voice

The Student News Site of Palo Alto High School

The Paly Voice

The Student News Site of Palo Alto High School

The Paly Voice

TONE
We want to hear your voice!

Which school event do you most look forward to this year?

View Results

Loading ... Loading ...

Windows metafile vulnerability jeopardizes Paly PC users

According to district IT administrator Andrew Hannah, the Palo Alto Unified School District has installed a Microsoft update that addresses a critical security issue for Paly’s Windows computers.

Paly has many computers that run Windows, such as the ones in the foreign language lab, the library, the lab adjacent to the library, and the robotics lab. The district network has a single server in the district office that checks for critical Windows updates and downloads them. All of the Paly’s PC’s receive updates from the server. In this manner, all of Paly’s PC’s downloaded the Microsoft update as soon as it was available on Jan 5.

According to Paly junior Eric Meltzer, one of the webmasters of The Paly Voice, all of these computers were at risk from the vulnerability.

“All those machines run Windows,” Meltzer said. “If they weren’t updated, merely viewing an image in Internet Explorer, which they all use, can cause the computer to execute remote code and compromise data or render the system useless.”

Bobby Georgescu, Paly senior and self-employed technology consultant, recommends that people install the Microsoft patch at home as soon as possible.

“Download the patch from windows update,” Georgescu said. “It’s free, easy, and could save you some trouble.”

According to a Microsoft press release on Jan. 5, home users of computers with Windows 2000, Windows XP, or Windows XP Professional x64, can download the official Microsoft patch from the Microsoft’s update center at http://update.microsoft.com (must be using Internet Explorer) or through the computer’s auto-update system. No update is available for computers using Windows 98, Windows 98 SE, or Windows ME, because Microsoft did not deem the vulnerability sufficiently critical for those versions of Windows to include them in its update.

The vulnerability was first discovered on Dec. 27 by Internet security watchdogs such as the SANS Institute Internet Storm Center and F-Secure. The exploit stems from the way that the Windows operating system handles Windows Metafile (WMF) images, according to a Microsoft press release on Jan. 5.

“The WMF files are for media and included a feature to allow functions to be built into the actual files, in order to make it easier for them to be displayed or printed,” Georgescu said. “When the file is opened, these functions are executed. The problem here is that someone looking to do harm can abuse this and put anything they want in there, because these functions are allowed to do anything rather than being restricted only to display or print related activities.”

Using alternate browsers such as Firefox or Opera offers little protection against the vulnerability, according to the Internet Storm Center, because the Windows Metafiles are images, and considered safe by browsers.

Within 24 hours of the vulnerability’s discovery, malicious software such as viruses and spyware affected computers by using the exploit, according to the vulnerability’s Wikipedia entry. This led to its classification as a 0-day exploit.

“The exploit could have been used to install other things with functionality similar to that [of the 2003 blaster worm],” Georgescu said. “However, I think it was blown way out of proportion. It was not being used for a massive attack of any kind, but rather it was being used by spyware companies looking to get their software installed so they could make more money. It did not do any actual damage to anything. And a third-party patch was released very quickly.”

Ilfak Guilfanov, a software developer, released an unofficial patch for the vulnerability on Dec. 30. The unofficial patch is now obsolete with the official Microsoft update.

“Microsoft is a large company and anything big takes a while to get momentum,” Georgescu said. “But since they are still claiming to support their products, it is in some people’s eyes unacceptable that a hobbyist is doing their job for them. That being said, a large majority of people, including myself, does not care. I patched all the computers I am responsible for with the unofficial one.”

Microsoft said in a press release on Jan. 5 that it would release further critical security updates to Windows on Jan. 10. According to the press release, the company’s monitoring of data indicates that the attacks based on the vulnerability are limited. Efforts to shut down malicious websites, up-to-date anti-virus definitions, the unofficial patch, and awareness of the vulnerability have limited its effects.

Disclaimer: This article is not professional computer security advice. The Paly Voice is not responsible for any damages to your computer through action or inaction taken based on the information in this article.

Leave a Comment

Comments (0)

All The Paly Voice Picks Reader Picks Sort: Newest

Your email address will not be published. Required fields are marked *