Microsoft Windows vulnerability puts Web surfers at risk

Simply opening the wrong Web page or receiving an e-mail with an errant image file could be enough to cripple your computer, thanks to a newly discovered vulnerability in the Microsoft Windows operating systems.

'We believe that this vulnerability is extremely serious,' e-mailed Scott Fendley, today's Handler on Duty for the SANS Institute's Internet Storm Center. 'It is extremely hard to protect against this vulnerability. It is not as easy of filtering files of a particular extension or setting a group policy.'

Microsoft Corp., of Redmond, Wash., has warned that the vulnerability is already being exploited by spyware, adware and viruses written to alter the behavior of users' computers. The company is working on a patch, but has not said when it will be ready.

The vulnerability rests in the graphics rendering engine of the operating system, which can execute hostile commands embedded in a Windows Metafile image. WMF is a file format frequently used for thumbnails and other images.

'Microsoft Windows contains routines for displaying various Windows Metafile formats. However, a lack of input validation in one of these routines may allow a buffer overflow to occur, and in turn may allow remote arbitrary code execution,' said a US-CERT bulletin issued Dec. 28.

Part of the reason the vulnerability is so dangerous is that 'most people have been conditioned to think that image files are safe to open,' Fendley said. All it takes is one individual 'to write a virus with this that looks like Christmas pictures from the grandkids, and suddenly you can easily get most people to open the file.'

Malicious code could be activated through the preview function of an e-mail client, or by rendering a Web page or a pop-up ad. Microsoft advises users not to visit unknown Web sites or open e-mail from strangers. The company also recommends updating anti-virus software and applying available security updates to the operating system.

Microsoft Windows versions 98, ME, XP, Server 2003, 2000 are all vulnerable to the attack. IBM Lotus Notes is also vulnerable to exploits, according to John Herron, owner of the Network Information Security and Technology News, a consulting firm focusing on government technology mandates and IT security.

Herron is working with a government agency that has blocked all incoming image files until the matter is resolved. He said it is possible for intrusion detection systems to detect all incoming WMF files'even those disguised as JPEGs. But most e-mail virus checkers won't let administrators add new signatures, so it would be harder for them to check message traffic.

'This is going to be tough going until Microsoft releases a fix. It's far too easy to send an infected WMF disguised as a JPEG and trick people to open it (or preview it),' Herron said.

About the Author

Joab Jackson is the senior technology editor for Government Computer News.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected