On December 28, 2005, a new Windows zero-day exploit was released concerning a design feature in Windows which allows an external program to be executed in the event that a WMF file can't be successfully loaded. It is possible to install a Malware program on to a Windows machine and have Windows itself execute the program by having the user load a bad WMF file using email, a Web browser, IM, or viewing the file using the Thumbnail view in Windows Explorer. The WMF file can have any file extension and the exploit will still run.
This exploit affect ALL VERSIONS OF WINDOWS starting with Window 95.
This is a very effective and easily exploitable vulnerability. Over fifty Malware programs have so far been identified as using it. More are certainly being created, and this problem will be in the news for weeks to come. This vulnerability makes the Sony BMG rootkit look like script kiddie stuff.
Although Microsoft has not yet issued a effective solution for this vulnerability, an independent programmer, Ilfak Guilfanov, has released a tool that permanently fixes the vulnerability for Windows NT, 2000, XP, Server 2003, and 64-bit XP. (There is no known fix for Windows 9x and ME.)
The security researcher Steve Gibson worked with Ilfak to to create this tool and fully endorses its effectiveness. You can download the fix from Gibson's Security Now web site at
http://grc.com/sn/notes-020.htm, or directly from Ilfak's web site at
http://www.hexblog.com/2005/12/wmf_vuln.html. The full source code to the tool is also on Ilfak's Web site.
If you do not think that your Web browsing, file downloading, and image file viewing habits put you at an immediate risk, then you may prefer to wait until an official patch is released by Microsoft. When such a patch will be available is not currently known.
