The problem with the WMF (Windows Metafile) file format turns out to be one of those careless things Microsoft did years ago with little or no consideration for the security consequences.
Almost all exploits you read about are buffer overflows of some kind, but not this one. WMF files are allowed to register a callback function, meaning that they are allowed to execute code, and this is what is being exploited in the WMF bug.
As a result, it is surprisingly easy to get hit with this attack, even if you are being careful. Ive heard stories of experienced researchers being hit while researching the attack.
One way this might have happened, and its a good example of how easy it is, is through Google Desktop. F-Secure has demonstrated that Google Desktop users can become infected simply by downloading an infected file. When Google Desktop indexes the file it launches the exploit.
Adware sites appear to be going hog-wild with this attack. According to Sunbelt Software, over a thousand sites are spreading more than 50 variants of it, thanks to an underground adware infection network that acts something like the DoubleClick of adware.
This appears to be another one of those attacks that will become a permanent part of the Internet landscape. Rather than try to keep the format useful for its customers, Microsoft ought to think of saving the rest of the world; WMF has become poisoned and its time for customers to move on.
In fact, given how this exploit works, the situation could be worse. The vulnerability is related to a GDI32 feature whereby WMF files are allowed to register a callback function that will be executed in certain situations. Perhaps resident malicious code could traverse the system and network, infecting all WMF files it encounters by adding this callback to it.
Before I get too hysterical about this, I should point out that an effective workaround exists to block the attack, albeit at the expense of some functionality in the system. See this story for instructions, which may also be found in an advisory from Microsoft (in the Suggested Actions/Workarounds/Un-register section).
Its also true that anti-virus companies have been working hard to keep up with the attacks, although there are, as I said above, a large number of variants.
This is, perhaps, where well separate the boys from the men with respect to heuristic detection (sorry for the sexist analogy, but it works): The better products should catch more of the variants through a generic detection of the exploit, but it may be impossible to detect all of them. We shall see. I tested one of the versions yesterday against the highly regarded Panda TruPrevent, which didnt stop it.
And as for users with no anti-virus protection, they were probably infected with other malware long ago, and are destined to get this too. The most likely way for someone to get this infection is to be shown a Web page with a malicious graphic, and most people will get those through pop-ups on systems that have been infected with adware.
Im told that there is a debate going on in Microsoft over whether to disable WMF file support in Internet Explorer. The fact that theres a debate probably means that Microsoft has customers relying on this behavior, and thats worth considering. To me the answer is clear: Leave it in and disable it by default. Create group and local policies to turn it back on so that larger customers and ISVs can re-enable it easily. This behavior should be extended to any, or at least most, nonstandard formats for IE.
Im hesitant at this point to go into details until there is a patch, but my own research confirms that the potential for spreading this attack far and wide is immense and that easier vectors than Web pages exist. Microsoft has already posted the workaround, but unless a real patch is imminent, the company needs to make a registry-based workaround and publish it through the Automatic Updates system so that users are quickly protected.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at firstname.lastname@example.org.