Windows metafile hole requires unofficial patch

By Brian Livingston

A weakness in the way Windows renders images is being exploited on the Internet and affects any browser you may be using, not just Internet Explorer.

Microsoft has no patch for the problem at this writing. An official patch may appear at any time, or it may take days or weeks. I recommend that you immediately run a small, unofficial patch that was developed by white-hat security researchers to make your PCs immune to the problem.

Not just .wmf files are suspect

I don’t ordinarily publish a news update for every new Windows security threat that appears. Instead, I urge my readers to install one piece of hardware and two pieces of software that I call the Security Baseline (see my Dec. 15, 2005, description). You then configure Windows and your security programs so they automatically download all critical updates.

That way, you’re protected against most exploits — and you can safely enjoy personal computing instead of constantly tweaking your PC to defend against real or imagined threats.

The new “WMF Metafile” vulnerability is different:

It can infect your PC if you merely view an image formatted as a Windows metafile on a Web page, in an e-mail attachment, or on your hard disk.

Every browser is vulnerable — IE, Firefox, Opera, and others — because the image is not being rendered by the browser. It’s rendered by Windows’ own Picture and Fax Viewer (Shimgvw.dll, also known as the Shell Image View Control). New versions of Firefox do display an alert when a suspicious image is encountered on a Web page. But since viewing an image is usually harmless, most users will click OK, exposing themselves to infection.

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.

= Paid content

All Windows Secrets articles posted on 2006-01-04: