Be Careful — Critical Windows WMF File Security Flaw In the Wild

By Michael Santo
Contributing Writer, RealTechNews

Yesterday F-Secure and Sunbelt reported a new in-the-wild exploit thattakes advantage of a vulnerability in the WMF (Windows Metafile) graphics rendering engine to automatically download and install malware. As I said, that was just yesterday, and Websense Security Systems is already tracking thousands of sites distributing the code.

Microsoft has posted a security advisory on its site, and has promised to patch the flaw … but gave no timetable.

“Upon completion of [our] investigation, Microsoft will take the appropriate action to help protect our customers,” the advisory stated. “This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.”

Microsoft rarely goes out-of-cycle to patch a vulnerability — it’s done so only three times since it began a once-a-month patch release schedule in October, 2003; the last time was over a year ago — and didn’t patch early in December when another zero-day bug surfaced, even after experts called on the Redmond, Wash.-based developer to fix fast.

“It’s really easy to get this thing,” said Shane Coursen, a senior technical analyst with Moscow-based Kaspersky Labs. “The exploit will even work through a DOS box.” Source: TechWeb

We Say: Symantec says that, besides “.wmf” files, the vulnerability can also be exploited if the file has been renamed to other image file extensions such as “.jpg,” “.gif,” etc. It’s also possible the exploit is part of the WMF specification, and thus be even more difficult to fix. I’m not sure what to say at this point, aside from, make sure your antivirus software is up-to-date and don’t go anywhere on the web that you don’t trust 100%.