Monday, January 2, 2006

You've Been Infected

Okay, you haven't been. At least not by us. But you could be, if I'm reading this Microsoft Security Bulletin correctly, if you're using Windows ... any version ... you are vulnerable to a flaw:
Microsoft is investigating new public reports of a vulnerability in Windows. Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Microsoft is aware that this vulnerability is being actively exploited.

In English, it means that some evil person could create a WMF image file, post it on a Web site, and if you visit that site, you could be compromised. And somebody posted the information. Which means that it's easier for the bad guys to use it.
Microsoft has determined that an attacker using this exploit would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and email based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

"E-mail based attack" they say? So, you're vulnerable to Web sites and e-mail.

But Microsoft is right on top of it:
Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs.

"Continue to investigate these reports" eh? Great.

Microsoft isn't hiding this. It's on their Security Web site. Not at the top. At the bottom. Scroll all the way down.

Now isn't this whole thing just totally amazing? It impacts every currently supported verion of Windows. From Windows 98 on. What about Windows 95? I don't know. But Microsoft doesn't support Windows 95 anymore, so if you're running a 10-year old operating system, you probably can't read this little blog anyway.

So, the problem isn't new. It looks like it's something that's been around for a while. Which means if you're using Windows (94% of visitors to this little blog), you've always been vulnerable to it.

How long has Microsoft known about he problem? I don't know. But somebody released the code on how to exploit it. Thanks guys. Thanks a bunch.

So, until Microsoft comes up with a patch, what do you do? F-Secure says a fix has been created by Ilfak Guilfanov, a programmer and blogger.

It's not an official fix, but it's all there is right now.

A blogger to the rescue.


  1. Wow. That posting title made me do a double take. In summary (of nothing on my part), Mac users unite!!!

  2. Yeah. And Linux is looking mighty good, too.

  3. [...] Via basil’s blog » You’ve Been Infected Okay, you haven’t been. At least not by us. But you could be, if I’m reading this Microsoft Security Bulletin correctly, if you’re using Windows ... any version ... you are vulnerable to a flaw… Search [...]

  4. Read this over at Technicalities last night and installed Ilfak's patch. Doesn't seem to have done any harm to my laptop with XP and hopefully I'll be safe. ;-)

  5. And that is reason #5,798 that I switched to Linux 4 years ago

  6. And I still don't understand how an *image* file can contain malicious code that gets *executed* on the target machine. What happened to the good old days of image files containing *images*?

  7. [...] It looks like my plan to take over all the computers in the world with Windows operating system might be foiled. I have it on good authority that the Dynamic Dumbos have stumbled onto a fix for my bug. [...]


Please choose a Profile in "Comment as" or sign your name to Anonymous comments. Comment policy