Bad news for Microsoft Windows users. Computer security experts have confirmed the existence of a new exploit for inserting trojans or spyware into devices running every version of Microsoft Windows released since 1990. Whoa.
using programs maliciously inserted into seemingly innocuous image
files, was first discovered last week. But the potential for damaging attacks increased dramatically at the
weekend after a group of computer hackers published the source code
they used to exploit it.
Unlike most attacks, which require victims to download or execute a
suspect file, the new vulnerability makes it possible for users to
infect their computers with spyware or a virus simply by viewing a web
page, e-mail or instant message that contains a contaminated image.
What's not clear is whether this vulnerability extends to Windows used in embedded devices like ultrasound systems, ECG systems and patient monitors. True one doesn't surf the web with most medical devices, but there may be other ways to exploit the vulnerability. Another wrinkle is that while Microsoft is aware of the problem and working on a patch, it's doubtful that the resulting patch will apply beyond currently available or supported operating systems. Hint: many embedded devices are a few releases behind and may be running versions that Microsoft's dropped support for.
Do you know which of your medical devices and systems are running Windows? Have you completed the HIMSS Manufacturer Disclosure Statement for Medical Device Security for your devices? Another great resource is security expert Bruce Schneier's newsletter, Crypto-Gram. And of course, he's got a blog as well.
UPDATE: After becoming aware last week about the vulnerability in the Windows Meta File (WMF) code area of Windows, Microsoft has been working on a patch. This story reports that Microsoft has completed the patch and is in testing. They hope to release the update on Tuesday,
January 10, 2006, as part of its monthly release of security bulletins
on the second Tuesday of the month. The update will be released
worldwide simultaneously in 23 languages for all affected versions of
Windows once it passes a series of rigorous testing procedures.
UPDATE: More technical details on the vulnerability here. It seems that The SANS Institute's Internet Storm Center advised to patch Windows with an unofficial patch from a third party. And here's the link to Microsoft's advisory.