- Major Studies
As most IT security professionals know, Microsoft disclosed a new Windows vulnerability last month. The vulnerability is the way in which the operating system handles the Windows Metafile (WMF) format when it encounters an error in the file.
Technical details of the vulnerability are already being covered by the technology press and are not repeated here. This article summarizes the characteristics of the threat that give it the potential for a large economic impact on business. We will update this article as new information is available.
New security holes in Windows are announced nearly every month. But the WMF vulnerability is particularly dangerous for three reasons.
These three characteristics are a combination that could lead to major infections of malware in 2006 based on this vulnerability. We discuss the potential impact on business later in this article.
Microsoft's Fix and Temporary Workarounds
On January 5, 2006, Microsoft released a security bulletin at http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx that includes a fix for the WMF vulnerability. Unfortunately, this still left a period of over one week between the time that the vulnerability was announced by Microsoft and the time an official fix was available.
During the interim, a European programmer, Ilfak Guilfanov, released a hotfix for the WMF vulnerability (link removed, since the Microsoft fix is now available). Guilfanov is a senior developer at DataRescue in Liege, Belgium. Security company F-Secure successfully tested Guilfanov's hotfix, and, as a vote of confidence, installed it on its own computers. The SANS Internet Storm Center also recommended Guilfanov's patch as an interim fix.
Malware security providers such as Norton, McAfee, and F-Secure have also provided updates to defend against specific malware attacks based on the WMF vulnerability as they are discovered in the wild. But if a user does not apply the Microsoft patch, virus protection programs will only defend against specific malware entities that exploit the vulnerability. They do not close the vulnerability itself. The good news is that, so far, the antivirus vendors appear to be staying ahead of the malware writers and massive corporate infections have not yet been reported. That may change, however, if businesses are slow to apply Microsoft's patch and a malware entity slips past corporate virus protection.
Impact on Business
There are already at least 57 malware entities released in the wild that exploit the WMF vulnerability, which began to be released over the slow holiday period between Christmas and New Year's Day. Infections are already spreading. According to Computerworld on January 3, "Staff at McAfee Inc.'s Avert security research lab report that 7.45% of users of the company's retail security products were found to have computers infected with malicious programs through the WMF exploit as of today. That's up from 6% of users on Saturday."
We believe that the growing infection rate is an indication that one or more of the WMF malware entities have the potential to become major new general malware attacks in 2006. We define a general malware attack as one that is intended to infect a large number of computer users generally and overtly, without targeting specific users or organizations.
Computer Economics projects that the worldwide economic impact from a single general malware attack based on the WMF vulnerability could exceed $1 billion US. Additionally, the collective impact of all attacks exploiting this vulnerability has the potential to surpass Netsky in damages, which we estimate to have reached approximately $3.75 billion for 2004 and 2005 combined.
We anticipate that businesses, especially those that do not have strong centralization of desktop administration, will be hard hit. Large businesses, which need to plan and deploy updates to thousands of desktops, can take weeks to apply "official" patches from Microsoft, and they are often reluctant to apply unofficial patches or workarounds. The widespread use of laptop computers compounds the difficulty in quickly applying fixes, as mobile users may not connect to the corporate network in time to have any patch or workaround pushed to the laptop operating system before the infection hits.
Beyond general malware events, it will be of great concern whether criminals will use the WMF vulnerability to design targeted, covert attacks on specific organizations for financial gain or espionage. Such targeted attacks are on the rise and now represent a potentially greater economic impact if an organization is unlucky enough to be a target.
This report breaks down the total financial impact malware on businesses by type of cost, based on our interviews and surveys of IT security professionals over the past year. It also highlights the major malware events of 2005, and tracks the worldwide economic impact of viruses, worms, trojans, and other malicious code attacks since 1999. IT executives will find this study a valuable source of economic statistics for justifying new IT investments that harden the IT infrastructure against malware attacks.