Virus writers have discovered a new flaw in the operating system that could leave its users open to spyware and viruses. Computers can be infected through programmes inserted into image files, without requiring the user to download any files. Simply viewing a web page or e-mail that contains an infected image is enough to release the virus into the machine. The exploit can be used to install malicious programming on the PC.

The "WMF exploit", which has been published online by a group of virus writers, is based on what security firm F-Secure describes as bad design, rather than a bug. "When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code," said a posting on the company's website. "This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time."

This means that the bug could affect all versions of Windows -- even going back to Windows 3.0, which was shipped in 1990. As a result, F-Secure says the WMF flaw could affect more machines than any other security vulnerability has before. However, in practice, Windows XP and Windows Server 2003 are the only platforms that can be easily affected by the exploit. Windows 2000 users who have a third-party application opening their image files are also at risk.

Conor Flynn of Rits Security, told ElectricNews.Net that the exploit could do some serious damage, as there was no official Microsoft patch to fix the vulnerability as yet.

"It has the potential to be very damaging," he said, adding that it could spread quite quickly in the coming days as people returned to work. He recommended that users avoid opening graphic attachments, and suggested that IT managers could block the attachments at the company's network security perimeter. Of course, the usual advice applies -- keep all antivirus software up to date.

"Making such tools publicly available when there's no vendor patch available is irresponsible," said F-Secure. "Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better."

The WMF exploit has already been seen in numerous forms in the past few days, including in seasonal e-mails and in messages claiming to be from US-based security agencies.

Windows users have been hit by a number of security flaws in recent months, Javascript problems in Internet Explorer, Office bugs and flawed patches. Some users who attempted to keep their systems up to date by downloading available security patches issued by Microsoft found it caused further problems with their system, while Microsoft withdrew another patch after it became concerned about quality issues.

Return To Home Page