One security executive said the flaw, exposed in late December but originally designed in the 1980s to cancel a print job during spooling, left security pros without preemptive weapons against hackers. The flaw made it possible for hackers to infect a PC after a user clicked on an image file.
"The WMF vulnerability was a difficult one for security personnel to deal with because intrusion prevention and anti-virus solutions could detect the attack but were incapable of taking preemptive action," said Alan Shimel, chief strategy officer at StillSecure. "In a world where staying one step ahead of hackers is a constant battle, here was a situation where people could only be reactive until a patch was released."
Microsoft eventually changed course, distributing a patch to the public on Jan. 5 — a week ahead of its routine "Patch Tuesday" release cycle date. The firm cited a public demand for the patch. Security analysts, however, said the immediate lack of a fix for the unique vulnerability was – and would be in future instances – a dangerous situation for both pros and home PC users.
"We shouldn't minimize how dangerous WMF was. A malicious threat like this, which could release its payload without a user installing a file but merely by viewing a graphic, has the potential for widespread harm," said Shimel. "WMF didn't propagate as quickly as some expected but the rapid progression from vulnerability to exploit only reaffirms the importance of staying on top of new threats. Response time is critical to effective network security."
Marcus Sachs, deputy director of SRI International, as well as director of the DHS's Cyber Security Research & Development Center, said hackers did not yet use the most effective way of spreading malware through the vulnerability.
"The worst case scenario would be if someone figured out a way to infect an administrator. You could crash millions of users instantly. Or if they made it self-replicating," he said. "Unfortunately, this vulnerability to use code within an image is nothing new. It is certainly a vulnerability despite its original intent."
Security experts said it was also possible that attacks focusing on WMF vulnerabilities would become more common in the future.