Windows computers are under attack from a previously unknown security vulnerability in WMF code. “WMF” is a file format that’s been used for more than ten years; although it appears to be a format for images, similar to “JPG” or “GIF,” it’s actually more complicated than that – and it can execute programs. The bad guys discovered how to make a WMF file execute malicious programs, similar to viruses or spyware.

The vulnerability affects all Windows computers, from Windows XP and Server 2003 all the way back to Windows 98. It can be triggered by viewing a web page with a malicious image, by viewing or previewing an e-mail with a malicious image, or even by having Google Desktop do an index of a malicious image that arrived by e-mail but was never viewed. The malicious files can be renamed with other extensions – “JPG,” for example – and still trigger the bad code. It’s nasty!

Microsoft announced this morning that it will post an update on January 10 that fixes the problem. Here’s the Microsoft Security Advisory about this issue and the patch.

Antivirus programs have been updated to catch some instances of the programs designed to exploit this issue.

Microsoft Antispyware has been updated to deal with some aspects of this problem.

During the next week, please be unusually careful. Take these steps now!

  • If you’re running Windows OneCare, make sure your status is green. If you’re running another antivirus program, make sure the virus definitions are up to date.
  • If you’re running Microsoft Antispyware, open it and make sure it appears to be up to date. If you’re not, install Microsoft Antispyware now.
  • Do not visit any previously unknown web sites or click on any links that might take you somewhere unexpected.
  • Do not view any images that arrive unexpectedly by e-mail and do not view or preview any e-mail messages that are not from a trusted source.

There is more information and links to a temporary fix here. As of this morning, I am not going to install the temporary fix or follow the instructions to de-register one of the vulnerable DLL files; my hope is that this is a threat that can be contained by being careful for the next week.

Be safe out there!

Share This