Neil Turner's Blog

Blogging about technology and randomness since 2002

The WMF Flaw – what we know

There’s a lot being said about the WMF flaw. Since my last post, it has become apparent that the code causing the WMF exploit has been in Windows since Windows 3.0. This was released in 1990, making the flaw over 15 years old. Yet only now is anyone aware of it or actively exploiting it.
Potentially, this means that this vulnerability will affect more computers than any other software flaw ever, since it’s been in every version of Windows since 1990. But it’s not that simple. Apparently, according to this research by eWeek, the flaw will only affect Windows XP and Windows Server 2003, because in the past WMF files have not been associated with any program by default. It is only with the advent of the Windows Picture and Fax Viewer, which supports WMF amongst other image formats, that this flaw has become a threat.
But, there’s another but. Some of the viruses taking advantage of this flaw have been using JPG file extensions, even though the files themselves are WMF files. What this research didn’t test was whether viewing an infected WMF file disguised as a JPG file caused an infection. Microsoft has this to say on the subject:

At this point, the only image format affected is the Windows Metafile (WMF) format. It is possible however than an attacker could rename the file extension of a WMF file to that of a different image format. In this situation, it is likely that the Graphic Rendering engine would detect and render the file as a WMF image which could allow exploitation.

If that’s the case, then users of most other recent versions of Windows are also affected, i.e. Windows 95, 98, 2000, NT and Me. Still, Windows XP is now the most widely used operating system on the internet, so even if the flaw only affects XP it still means that a large number of users could get infected, should a virus use this method of propogation.
Thankfully, though there have been isolated reports of viruses, none seem to have spread widely yet, and most anti-virus programs have employed heuristics scanning to detect malicious code that exploits this flaw, meaning that as long as your anti-virus program is up to date and set to scan WMF files (most scan all opened files by default anyway), it’s likely that you will be protected. You can, and indeed should, go further by un-registering the Windows Picture and Fax Viewer DLL (which will stop this program from working but it will also keep you safe) and installing this temporary hotfix. Microsoft’s next patch day will be a week today – January 10th – so presumably the most we have to wait for an official fix is 7 days.
Update: Microsoft has updated their advisory to state that the patch will be available on Tuesday 10th January. They have completed development of the patch, however it still requires testing and localisation, so that it will work on all native language versions of Windows and won’t cause any further side effects. Unfortunately, when you have a big, complex operating system like Windows used by so many different computers with so many different configurations, being able to identify and fix a flaw without causing any further problems in only two weeks as not easy.

One Comment

  1. The whole WMF thing is scary, but really, who uses WMF apart from M$ clipart?