News Stay informed about the latest enterprise technology news and product updates.

Windows image flaw now 'extremely critical'

Users are being warned to avoid surfing untrusted sites as an exploit in Windows image files spreads in the wild and Microsoft has yet to release a patch.

Users are being asked not to save, open or even preview any untrusted image files from e-mail, instant messages, folders or network shares in Internet Explorer after an exploit targeting Windows Metafile Format files spread yesterday on fully patched systems.

Numerous security vendors and US-CERT have issued warnings to users asking them to avoid any application that automatically displays a .wmf image, including older versions of Firefox and current versions of Opera, Outlook and all IE versions running on the Windows platform. "This is a zero-day exploit, the kind that give security researchers cold chills," according to the Sunbelt Software blog. "You can get infected by simply viewing an infected WMF image."

Severity ratings vary, but at least one respected vulnerability assessment company, Secunia, Inc. called this one "extremely critical."

Attackers are using the unprotected hole in machines running Windows XP (including those with the SP 2 patch installed), ME, 2000 and Windows Server 2003 to hide malicious code on a Web page or e-mail containing .wmf files. Vendors report that the flaw is primarily being used to sneak spyware onto computers. In addition to installing downloads and using the PC as a spam relay, the malicous code tries to trick its user into revealing credit card information.

Though there are no reports of widespread traction, security alerts have been elevated because of the high risk of rapid infection rates if enough users click on a malicious .wmf file or URL to a malicious site. In some cases, merely surfing and landing on an infected site will download the spyware automatically, according to various vendors.

Microsoft issued its own warning yesterday and said it's investigating reports to determine if a patch is required prior to the next release of security updates next month. "Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a Web site that contains a specially crafted Windows Metafile (WMF) image," the company said in a prepared statement. "An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site.

"Customers are encouraged to keep their antivirus software up to date," it continued. "The Microsoft Windows AntiSpyware (Beta) can also help protect your system from spyware and other potentially unwanted software. We will continue to investigate these public reports."

The company's advisory also lists mitigating factors, including the fact an attacker must host the Web site that contains the contaminated Web page and could not force users to visit the malicious site. Such required user interaction can slow the exploitation rate. Also, "users whose accounts are configured to have fewer user rights on the systems could be less impacted than users who operate with administrative user rights."

Meantime, Danish-based security provider Secunia is advising enterprise users to not save, open or preview untrusted image files from email or other sources, nor open untrusted folders and network shares. It also suggests setting the security level to "high" in IE to prevent automatic exploitation. Furthermore, "the risks can be mitigated by unregistering 'Shimgvw.dll.' However, this will disable certain functionalities. Secunia do not recommend the use of this workaround on production systems until it has been thoroughly tested."

This article originally appeared on

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.