Image file formats continue to be fertile ground for anybody seeking
security vulnerabilities. It seems that there is a tiny hole in the
"Windows metafile" (WMF) implementation on just about every version of
Windows. Exploits exist and are widespread; all it takes to be compromised
is an attempt to view a malicious WMF file. Using Internet Explorer to
view web page which
includes the WMF file is sufficient; depending on who you believe, it may
also be possible to deliver malicious files in email.
Quite a few sites hosting exploits have been found; by some estimates,
hundreds of thousands of machines have already been compromised. Happily,
Windows users can rely on Microsoft's recent commitment to security for a
Unhappily, it seems that Microsoft, which has known about the vulnerability
since sometime in December, will not have a fix available until
January 10. Meanwhile, users are told to be careful out there and
"avoid reading email from strangers."
So Windows users will be left vulnerable to a severe
vulnerability - with numerous exploits already happening - for a minimum of
two weeks. It is tempting to insert a long, Microsoft-bashing rant here,
but there is little point.
Instead, we'll point out a couple of things which might be worth knowing if
you're concerned with security issues involving Windows in any way:
- Firefox (on Windows) users are vulnerable too. Being compromised via
Firefox is harder than with Internet Explorer; current versions of the
browser require an explicit user action before a WMF file will be
displayed. But requiring an extra click is a thin line of defense, at
- There is an unofficial
fix available for people who do not want to wait for Microsoft to
get around to putting up a patch. By all accounts, the fix does
exactly what it says it does, but, since it is a binary patch, it is
hard to verify independently.
It is hard to imagine a vulnerability of this severity staying open for so
long in the free software world. If distributors were slow in releasing a
patch, the community would fill in quickly - with verifiable,
source-available fixes. There is little doubt that, sooner or later, a
serious vulnerability will threaten free software users; that is, unfortunately,
the nature of software. But the nature of free software should keep
that vulnerability from being left open for anywhere near so long.
(See also: the CERT
advisory for the WMF vulnerability and this FAQ).
to post comments)