Windows flaw spawns flurry of attacks

A flaw in Microsoft's Windows Meta File (WMF) has spawned dozens of attacks since its discovery last week, security experts warned on Tuesday.

The attacks so far have been wide-ranging, the experts said, citing everything from an MSN Messenger worm to spam that attempts to lure people to click on malicious websites.

The vulnerability can be easily exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said. Older versions of the operating system, including Windows 2000 and Windows ME, are also at risk, though in those cases the flaw is more difficult to exploit, said Mikko Hypponen, chief research officer at F-Secure.

Hypponen said: "Right now, the situation is bad but it could be much worse. The potential for problems is bigger than we have ever seen. We estimate 99 per cent of computers worldwide are vulnerable to this attack."

The WMF flaw uses images to execute arbitrary code, according to a security advisory issued by the Internet Storm Center. It can be exploited just by the user viewing a malicious image.

Microsoft plans to release a fix for the WMF vulnerability as part of its monthly security update cycle on 10 January, according to the company's security advisory.

Hypponen added: "We have seen dozens of different attacks using this vulnerability since Dec 27. One exploits image files and tries to get users to click on them; another is an MSN Messenger worm that will send the worm to people on your buddy list, and we have seen several spam attacks."

He added that some of the spam attacks have been targeted to select groups, such as one that purports to come from the US Department of State. The malicious email tries to lure the user to open a map attachment and will then download a Trojan horse. The exploit will open a backdoor on the user's system and allow sensitive files to be viewed.

The WMF flaw has already resulted in attacks such as the Exploit-WMF Trojan, which made the rounds last week.

Although Microsoft has not yet released a patch, security vendors such as F-Secure and the Internet Storm Center are noting that Ilfak Guilfanov, a Russian security engineer, has released an unofficial fix that has been found to work.

In its daily security blog F-Secure noted: "Ilfak Guilfanov has published a temporary fix which does not remove any functionality from the system. All pictures and thumbnails continue to work normally."

Security companies also are advising computer users to unregister the related "shimgvw.dll" portion of the Windows platform. Unregistering the dll, however, may also disable certain Windows functions and has not been thoroughly tested, according to a security advisory issued by Secunia.

Despite the potential for a large number of computer users to be affected by exploits related to this vulnerability, Hypponen said the chances of a widespread outbreak from a virus, as people return to work from the long holiday, are unlikely.

He said: "We are still far away from a massive virus. Most people get attacked by this if they [search for something on the internet] and get a million results. They may click on a link that goes to a malicious website or one that has been hacked, and then get infected."

Dawn Kawamoto writes for CNET News.com