A few thoughts on the WMF vulnerability


Hi folks- this is Kevin Kean from the MSRC, writing what may just be my last MSRC blog entry for 2005. This morning we noticed that there are some people who are still looking for more information about the Windows Metafile (WMF) vulnerability that we issued a security advisory for on Wednesday. I thought it would be helpful to let you all know what we know about this and what we are doing to take care of it.


Since earlier this week, my team has been hard at work investigating this vulnerability. We take situations such as this one very seriously. 


We are aware of publicly released, detailed exploit code that could be used to exploit this vulnerability.     Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on a user’s system by hosting a specially crafted WMF image on a malicious Web site.   We have determined that an attacker would have no way to force users to visit such a malicious Web site. Instead, an attacker would have to persuade someone to visit the Web site, typically by getting them to click a link that takes them to the attacker’s Web site.


We have been asked a number of times whether this vulnerability can be exploited via email.  I want to be very clear in the response so all users can understand the situation. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and e-mail based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.


When we complete this investigation, we’ll do what is best to help protect our customers. We have determined that this vulnerability will be fixed through a security update, and we will release that either through the regular monthly release cycle or out-of-cycle, depending on customer needs.


Right now, we are working very closely with our anti-virus partners and aiding law enforcement with its investigation. We continue to recommend that customers follow our security guidance, including being careful where you browse, never accepting email attachments from unknown senders, keeping your anti-virus software up to date, enabling a firewall and staying current on security updates.


Have a safe and happy New Year!


*This posting is provided “AS IS” with no warranties, and confers no rights.*