Hackers are close to finding a way to spread harmful computer viruses just by getting people to open an e-mail message or visiting an infected Web site, computer security experts warned yesterday.
The hacking community, they said, is developing tools to exploit a new security flaw in computers running Microsoft's Windows XP and Server 2003 operating systems. Those tools could be used to power the worm, which could allow attackers to take control of people's computers. Microsoft identified the flaw last week and offered a free software patch to fix it.
The problem resides in computer code that Microsoft applications use to display JPEG digital image files, an image format found on millions of Web sites. Security experts say hackers could use the flaw to embed viruses into digital photos capable of infecting vulnerable PCs as soon as the user visits a malicious Web site or opens a specially-crafted e-mail.
The development marks a key shift in the way that the online security community encourages less technologically savvy computer users to stay safe on the Internet.
"We always said there's no way you can be infected [with a computer virus] just by looking at a photograph online, but now it looks like we may have to eat our words on that," said Marcus Sachs, director of the SANS Internet Storm Center and former adviser at the White House Office of Cyberspace Security. "This year we've seen a lot of changes to the fundamental ways we thought we were secure."
This week, at least three computer programs designed to demonstrate how to exploit the flaw were published online, and security experts say it is likely only a matter of days before attackers hone those programs to help launch a major computer virus outbreak.
"It's highly likely we'll see some sort of malicious code targeting this Microsoft flaw very soon," said Russ Cooper, chief scientist at Herndon, Va.-based security firm TruSecure Corp. "The security hole is just too attractive for the bad guys to pass up."
This kind of worm would give new life to a kind of Internet threat that so far has been the stuff of myths and hoaxes. For years, Internet chain letters have warned users to be on the lookout for viruses or worms that can wreak digital havoc just by getting people to open an e-mail message. In reality, most viruses arrive as e-mail attachments and do not activate unless the user opens the attachment.
Such a virus could be especially harmful because most businesses will remain vulnerable to the flaw for weeks if not months -- the time span it generally takes for companies to test the patches to ensure they do not interfere with other software applications. In addition, most companies do not consider digital images a virus threat and typically allow them to pass unimpeded through corporate firewalls via e-mail and Web browsers, Cooper said.
The computer security community's fear stems from a dramatic shift in the speed with which virus writers seize upon Microsoft vulnerabilities to hijack home and business PCs.
According to a report released this week by Cupertino, Calif.-based security company Symantec Corp., the average time between the announcement of a software flaw and the release of computer code designed to exploit that hole has shrunk to less than six days.
The time between the release of a software patch and the emergence of an Internet virus or worm that leverages that security hole also has narrowed dramatically during the past several years.
In a series of attacks in June, hackers broke into hundreds of commercial Web sites and planted viruses that made it possible for users of Microsoft's Internet Explorer Web browser to have their passwords and private account information stolen when they logged on to banking sites. That attack worked because it took advantage of a flaw in the browser before Microsoft could develop a patch to fix the problem.
In August 2003, the "Blaster" worm led a parade of viruses that seized on a vulnerability Microsoft disclosed less than a month earlier. In February, the "Sasser" worm surfaced just two weeks after Microsoft released a patch to plug the security hole. In March, the "Witty" worm damaged and destroyed tens of thousands of hard drives running the BlackIce and RealSecure firewall products; the company had released a patch for the problem only two days before.
Some security experts are not as concerned about the possibility of virus-laden digital photos, in part because researchers have uncovered similar vulnerabilities with two other image formats this year, flaws that have yet to be exploited by an Internet worm or virus.
"I don't really see any reason why this vulnerability would be any different," said Mikko Hypponen, director of antivirus research at Finnish security company F-Secure Corp. "There is certainly a lot of discussion and hype about it, but I wouldn't be surprised if we didn't see any worms or viruses using this flaw at all."
The security flaw affects mainly Microsoft Windows XP and Server 2003 systems, but PCs running older versions of Windows may also be vulnerable because the problem also is present in a number of other Microsoft programs, including most versions of Microsoft Office, the productivity suite that includes programs like Word and Excel. Microsoft users can download the latest patches from the company's Windows Update site.