Serious vulnerability in rendering of Windows Metafile image files (.wmf)

2 January 2006

Microsoft has released a security advisory warning of a vulnerability in a Windows graphics rendering engine that could allow for remote code execution by an attacker on an affected system. Over the past few days a number of Trojans and other malware have appeared that take advantage of this vulnerability via doctored image files sent as attachments to e-mails or embedded in webpages.

The vulnerability lies in the way Windows handles the Windows Metafile (.wmf) image file format. Since the vulnerability was first discovered, a numerous websites and mass-delivered e-mail messages have taken advantage of this vulnerability to install spyware and as well as viruses and other malware on vulnerable machines. Among other things, affected computers are used to send out thousands of spam e-mails without the knowledge or consent of their owners.

Although the behaviour creating this vulnerability is currently causing serious problems, it was originally a important feature of the Windows operating system and appears to have been part of Windows since version 3.0 was first released 15 years ago. This vulnerability therefore affects a very large number of computer users.

F-Prot Antivirus currently detects all know exploits of this vulnerability and tags them as "Security risk". We are also working on pre-emptive protection against any and all future threats attempting to take advantage of this vulnerability. Microsoft has not yet released a patch against this vulnerability but has described a workaround for the problem for users of Windows XP: These users can avoid exploit attacks by unregistering the Windows Picture and Fax Viewer.

For more information please see:

Commtouch® is a leading developer of anti virus software and anti spam filtering services. Commtouch's anti virus computer software, F-PROT Antivirus, is available for a number of operating systems such as Windows, Linux, BSD, Solaris, and AIX as well as the Microsoft Exchange groupware.

1993-2013 © CYREN