A recently discovered Windows Metafile (WMF stands for “Windows Meta File”) vulnerability is the latest Windows vulnerability to have its own 0-day exploit, and this is a nasty one. A 0day exploit (also known as a “zero-day exploit”) is an exploit which is already available on the same day as, or even before, the vulnerability itself is announced.
In this case, the reason that the Windows Meta File (WMF) vulnerability is so nasty is because the zero-day exploit is so nasty. And the reason that the 0day exploit is so nasty is because, in Microsoft’s own words, the 0day exploit “could allow an attacker to execute arbitrary code on the user’s system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site.”
In other words, by putting a poisoned WMF (Windows Meta File) image on their website, the attacker is causing your browser, when you view the image, to open a big gaping security hole into your computer system.
While there have been official sightings of at least three different exploits already taking advantage of the Windows Metafile vulnerability, some sources are citing as many as seventy known malicious programs which can take advantage of the WMF issue.
Explained Mikko Hypponen, Chief Research Officer for security company F-Secure, “Do note that it’s really easy to get burned by this exploit if you’re analyzing it under Windows. All you need to do is to access an infected web site with IE (Internet Explorer) or view a folder with infected files with the Windows Explorer.”
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
So what can you do?
Well, using a browser other than Internet Explorer can help, but it’s no assurance. Opera and Mozilla also render WMFs, however in most instances, I’m told, they prompt the user before doing so (to which you say a resounding “no!”).
And while there is not yet an official patch from Microsoft (one is expected next week), trusted industry insider Ilfak Guilfanov has made an unofficial patch available through his Hexblog. While that site is taking a lot of heavy hits as people rush to get the patch, Steve Gibson over at Gibson Research has made a mirror available, along with a lot of other information about the Windows Metafile vulnerability. You can check that out over at Gibson Research.
And, of course, make sure that your anti-virus software is up to date. Now!
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Hi all,
It’s been an interesting day. I saw your security article and thought you might like to be aware this. Here’s a post I made recently in a security forum I frequent called Temerc. Since I use mostly Win9x machines at home, I was forced to find an alternative patch for the WMF exploit. The one you mention above is only for WinXP and related OS’s.
*** From me at https://web.archive.org/web/20190624162825/http://temerc.com/ ***
Hi all,
Today at work we saw our first casualty due to the WMF exploit. One of my co-workers was foolishly searching for and downloading screen savers. Fortunately our IS department noticed the infected machine probing our intranet. The machine was taken offline and given a complete wipe. My co-worker will now spend a good part of tomorrow re-loading all the special software they were running. It’s a hard lesson, but not nearly as hard to take as the chuckles around the water cooler. LOL
I’m guessing it will be a while before they load any screen savers.
Based on what I saw today, I’m becoming more concerned about this exploit. I went out and loaded a temporary fix I found at NOD32. This one works on Win9x, ME, and the rest. It can also be uninstalled at any time through the add-remove panel.
Have fun!
Clif @
WMF Patch by Paolo Monti @