Hackers uncover 'biggest Microsoft vulnerability'

By Rhys Blakely

Editor's Note: SpyAxe is one of the programs that is using this vulnerability. The article below mentions that there are at around 100 others making use of similar techniques. Stay protected!

Computer hackers are targeting a flaw in Microsofts Windows operating system that has placed hundreds of millions of PCs at risk of infection from dangerous "spyware" programs used by criminal gangs to steal peoples identities.

The flaw in the software, which is used by 90 per cent of the worlds computers, allows PCs to be infected by programs maliciously embedded into seemingly harmless image files. It was first discovered last week, but Microsoft is yet to release a protective "patch" to guard against the danger.

"The vulnerability probably affects more computers than any other security vulnerability, ever," Mikko Hypponen, chief research officer at F-Secure, said on the web-security companys weblog.

Most attacks require a victim to download an infected file. But the newly discovered flaw, which dates back at least a decade, makes it possible for a PC to be hit simply by a user browsing a web page or opening an e-mail that contains an infected image.

Mark Herbert, the founder of intY, an internet security company, said: This is one of the first examples of a new generation of threats on the internet. Now people can run into serious problems just looking at web pages something we havent seen before.

"This should be a serious wake-up call to the web community."

Patrick Runald, a senior anti-virus consultant with F-Secure, told Times Online: "Unlike other threats, which tend to target specific versions of software, this affects all versions of Windows from the past 10 years or so - that means hundreds of millions of machines. We are now seeing lots of activity among virus writers looking to exploit this flaw."

According to Mr Runald, hackers exploiting the vulnerability have so far focused on using it to install secret "spyware" and "back doors" on victims' PCs. That suggests that criminal gangs are mainly responsible rather than trouble-makers who prefer mass e-mail campaigns to spread viruses as far as possible.

The underlying "source code", which maps out how to exploit the weakness, has now been published on the net by hackers.

Microsoft has confirmed that the flaw has been actively exploited and said it was working "with our anti-virus partners and aiding law enforcement" to tackle the problem.

The incident is especially embarrassing since it also affects the test - or "beta" -version of Vista - the latest version of Windows that is due to be released later this year. Bill Gates, Microsoft's founder, has heavily promoted Vista's improved security.

Donal Casey, a consultant for Morse, the internet security company, said: "Vista had been marketed as the secure version of Windows, but obviously it is not. Microsoft is covered because the final version hasn't been released, which will allow them to do a bit more thinking."

In the absence of a patch, Microsoft has urged PC users to follow its standard advice and "exercise caution when they open e-mail and links in e-mail from untrusted sources."

It added: "While we have not encountered any situation in which simply opening an e-mail can result in attack, clicking on a link in an e-mail could result in navigation to a malicious site."

Microsoft's statement can be found here.

According to F-Secure, more than 100 different versions of the malicious programs called WMF or Windows metafile programs targeting the flaw have emerged so far. This week WMF exploits have been spread in e-mails wishing people "Happy New Year" and by messages purporting to be from American security agencies.

According to the F-Secure website, Internet Explorer users are at the greatest risk of automatic infection "while Firefox and Opera browser users are prompted with a question whether theyd like to open the WMF image or not. They get infected too if they answer Yes."

The Home Office has estimated that identity theft accounts for 1.3 billion in stolen goods, services and cash a year. Meanwhile fraudsters have turned to online crime to sidestep new measures on the high street, such as chip-and-pin card technology. According to police figures, computer crime alone cost British businesses 2.4 billion last year.