The problem is in the way various versions of Windows handle graphics in the WMF (Windows Metafile) format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. Microsoft published a first security advisory on December 28, saying it had received notification of the problem on December 27 and was investigating whether a patch was necessary.

On Tuesday, Microsoft updated the advisory to say it has completed development of its own patch, and is now testing it for release next week.

“Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006,” said the advisory, the full text of which can be found online.

The company says it carefully reviews and tests its security updates, and offers them in 23 languages for all affected versions of its software simultaneously. It “cannot provide similar assurance for independent third-party security updates,” it says.

The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability, but the number actually affected so far is relatively low, researchers say.

However, the chance of running into a malicious WMF file is climbing, and with it the danger of running an unpatched system. Already, one security Web site has had to warn its readers to stay away: the owners of the site warned in a forum posting that hackers had modified the site so as to attempt to exploit the vulnerability on site visitors’ machines.

There is “a lot of potential risk” associated with the vulnerability, according to Jay Heiser, a research vice president with Gartner and the company’s lead analyst on information security issues. “If it can be exploited in any significant way, it would be an extremely big risk.”

“It’s a race between Microsoft and the exploit community,” he says.

The bad guys had a head start in that race. Security researchers at Websense first spotted malicious Web sites using the exploit on December 27, but those sites may have been doing so as early as December 14, the company says.

On December 28, Microsoft ambled out of the starting blocks with its first security advisory acknowledging a potential problem.

Over the weekend, it updated this to suggest a way in which users could reduce the risk by disabling an affected part of the OS, called shimgvw.dll. Microsoft warned that the fix has the side effect of stopping the Windows Picture and Fax Viewer from functioning normally. Others report that it also stops Windows Explorer from showing thumbnails for digital photos.

Unofficial Fix
Security researchers outside Microsoft had other ideas: rather than disable shimgvw.dll, they would modify it so that only the functionality considered dangerous was blocked. By December 31, programmer Ilfak Guilfanov had developed an unofficial patch to reduce the danger of attack, without impairing Windows’ graphics functions

His patch quickly won the support of security researchers including The SANS Institute’s Internet Storm Center (ISC) and F-Secure.

Mikko Hypponen, chief research officer at F-Secure, feels safe recommending the Guilfanov patch for several reasons.

“We know this guy. We have checked the code. It does exactly what he says it does, and nothing else. We’ve checked the binary, and we’ve checked that the fix works,” he says.

He has one final vote of confidence: “We’ve installed it on all our own computers.”

Sophos PLC’s Senior Security Consultant Carole Theriault advises businesses not to install the unofficial patch. “We wouldn’t recommend it, for testing reasons,” she says.

One of the hidden dangers of the WMF vulnerability is that things are not always what they appear. Usually, WMF files can be identified by their.WMF file extension, and blocked as a precaution, but attackers may choose to disguise malicious files simply by giving them another image file suffix, such as.JPG, because the Windows graphics rendering engine attempts to identify graphics files by their content, not their name. That was the case with a file with the title “happynewyear.jpg” that began circulating in e-mail messages on December 31: If opened on a Windows machine, the file attempts to download and install a backdoor called Bifrose.

As a consequence, says Theriault, businesses should keep existing antivirus protection up to date and concentrate on blocking unsolicited mail while waiting for the Microsoft patch, as this may help to screen out attacks. They should encourage users to practice safe computing by only visiting reputable Web sites and taking care with what they download, she says.