WMF flaw to be patched this month
This month's "patch Tuesday" bulletin from Microsoft will feature a security update for the recently exploited Windows Meta File vulnerability.
The Redmond, Wash., company said Tuesday that it does not believe the scope of attacks on the flaw - which can result in PC shutdown - are widespread, adding that "customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability."
"Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement," the company said in a statement. "Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks is not widespread. In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures."
Last week, the U.S. Computer Emergency Readiness Team and security firms warned that malicious users had set up attack websites to exploit the image vulnerability, from which they could execute arbitrary code, cause a denial of service condition or take complete control of an infected PC.
F-Secure said on Tuesday that code design from the 1980s is to blame for the vulnerability. The vulnerability exists on all Windows platforms, but only XP and 2003 are easily exploitable, the firm said.
"When Windows metafiles were designed in the late 1980s, a feature was included that allowed the image files to contain actual code. This code would be executed via a callback in special situations. This was not a bug; this was something that was needed at the time. This function was designed to be called by Windows if a print job needed to be canceled during spooling," the firm said.
The firm also warned of spoof emails pretending to be from the State Department or wishing users a happy new year. Numerous security experts recommended users consider unofficial patches that had been made available, such as one at http://www.hexblog.com.