There has been a flood of information about the WMF vulnerability and associated exploits. We plan to record a special 10-15 minute podcast episode dedicated to WMF tonight. Right now, here are some facts to present to management and help further assess the situation:

  • According to ISC, there was a trojan being installed via WMF that hit a web page to increment a counter. Last count, 200,000.
  • The latest SANS polls indicate that organizations are in fact seeing attacks that use the WMF vulnerability
  • F-Secure has found evidence of attackers using the flaw to infect machines and tell them to send SPAM. The link in the SPAM message contains a WMF exploit that installs a bot, instructing the computer to partake in a botnet. More information here.
  • WebSense has released an alert which shows you what some of the WMF images look like on varius web sites. They state that there are two types of attacks, one where users are lured to an evil web site, and one where an attacker compromises an existing web site and slip in a WMF image with exploit code.