Microsoft has issued a security advisory warning about an unpatched security hole in Windows that is actively being exploited by online criminals.
Attackers are using a flaw in the way that Windows handles the .wmf (Windows Metafile) graphic file format. A specially crafted .wmf image placed on a website or sent through a spam e-mail could allow the criminal to execute code on a user’s system.
The arbitrary code execution lets the attacker install spyware or recruit a system for a zombie network, a collection of computers used for online crimes including sending spam or launching distributed denial of service attacks.
Microsoft urged users to update their antivirus software, and said that it is investigating the issue. A patch is being developed which will be released either through Microsoft’s monthly patch cycle on the second Tuesday of the month or as an out-of-cycle security update.
Security firm Secunia gave the vulnerability its highest severity ranking of “extremely critical”.
Security firm F-Secure said on its blog that it has seen at least three different computer worms that exploit the security hole. The company refers to the worms as W32/PFV-Exploit.A, .B and .C. The threats are being spread by spam e-mail messages and through several websites.
Users of Microsoft’s Internet Explorer are automatically infected when they visit a webpage hosting an infected image. Firefox will first ask the user before opening the file. If the user approves, the PC will be infected.
The US Computer Emergency Readiness Team described several workarounds on its website that will mitigate but not eliminate the risk until Microsoft releases a patch.
The workaround includes avoiding .wmf files from untrusted sources and resetting the file association, or opening the files with an application other than Windows Picture and Fax Viewer.
Although Microsoft acknowledged that the flaw is being actively exploited, the company claimed that the scope of the attacks is not widespread.
Antivirus software is blocking most of the attacks through updated signature files, allowing the security software to recognise infected files before they can cause any harm, according to Microsoft.
Russian software engineer Ilfak Guilfanov has already released an unofficial fix which F-Secure has endorsed on its company blog.
Users who choose to install Guilfanov’s patch will have to uninstall it before they run Microsoft patch.
Microsoft indicated that it would issue a patch in the normal monthly cycle, expected in the second week of January. However, in what has been interpreted as a reaction to the seriousness of the threat and growing pressure, the WMF patch was released on Friday 6 January.
Subscribers 0
Fans 0
Followers 0
Followers