Microsoft is investigating new public reports of a vulnerability in Windows. Microsoft is also aware of the public release of detailed exploit code that could be used to exploit this vulnerability. Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system by hosting a specially crafted Windows Metafile (WMF) image on a malicious Web site. Microsoft is aware that this vulnerability is being actively exploited.
In English, it means that some evil person could create a WMF image file, post it on a Web site, and if you visit that site, you could be compromised. And somebody posted the information. Which means that it's easier for the bad guys to use it.
Microsoft has determined that an attacker using this exploit would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. In an e-mail based attack, customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability. In both the web and email based attacks, the code would execute in the security context of the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
"E-mail based attack" they say? So, you're vulnerable to Web sites and e-mail.
But Microsoft is right on top of it:
Microsoft will continue to investigate these reports and provide additional guidance depending on customer needs.
"Continue to investigate these reports" eh? Great.
Microsoft isn't hiding this. It's on their Security Web site. Not at the top. At the bottom. Scroll all the way down.
Now isn't this whole thing just totally amazing? It impacts every currently supported verion of Windows. From Windows 98 on. What about Windows 95? I don't know. But Microsoft doesn't support Windows 95 anymore, so if you're running a 10-year old operating system, you probably can't read this little blog anyway.
So, the problem isn't new. It looks like it's something that's been around for a while. Which means if you're using Windows (94% of visitors to this little blog), you've always been vulnerable to it.
How long has Microsoft known about he problem? I don't know. But somebody released the code on how to exploit it. Thanks guys. Thanks a bunch.
So, until Microsoft comes up with a patch, what do you do? F-Secure says a fix has been created by Ilfak Guilfanov, a programmer and blogger.
It's not an official fix, but it's all there is right now.
A blogger to the rescue.