Microsoft has a New Years gift to their customers, otherwise known as the Windows / WMF exploit.
A few days ago in this newsletter we said that 2006 would be an interesting year – perhaps in the manner of the Chinese curse. Who knew Microsoft would make the curse come true in the first week of the year.
In this special issue we’ll try to explain what is going on and tell you what precautions you should take.
Microsoft has a New Years gift to their customers, otherwise known as the Windows / WMF exploit. As usual much of the coverage seems aimed at scaring people or downplaying the risk as much as possible – and, also as usual, we’ll try to take a middle course by explaining the problem and what you should be careful about.
Make no mistake, this is a serious problem that Microsoft only has itself to blame. While the risk is being exploited in messages and web sites to the public, a little care and our usual set of recommended precautions will keep you safe while still getting on with your computing life.
WHAT’S THE PROBLEM?
WMF = Windows Meta File which is a type of image using Microsoft’s own technology and specifications. They are not commonly used on web sites or emails because they are Windows specific. However all Office users will have used WMF files because they are the format used for Microsoft Office Clipart.
Hackers have found a way to make a program run on your computer simply by viewing a WMF file. Once there’s a way to run code on your computer from a remote site there’s an opportunity to infiltrate your computer with viruses or privacy breaching programs.
Often these exploits are only theoretical, someone finds the problem and tells the anti-virus companies plus Microsoft who then act with varying degrees of efficiency to guard against the potential threat. In many cases these problems are never used by baddies or ‘in the wild’ as it’s called in the industry.
The WMF exploit is different, it is out there and being used. That’s why companies like Symantec have rated this as high risk.
WHO CAN BE AFFECTED?
Anyone running Windows from Windows 98 through Windows ME, Windows 2000 and Windows XP. This includes Windows Server editions including Windows Server 2003.
In other words if you’ve paid money to Microsoft for an operating system anytime in the last seven years then you’re at risk.
HOW CAN I BE INFECTED?
There’s many ways to be infected and that’s why this security breach is such a problem.
Pretty much anyway you can think of to view an image in Windows is a potential source of infection. Just viewing an image is enough – you don’t have to do anything else.
The usual risk points apply like:
- Downloading and opening a file from a web site.
- Opening an infected file in an email attachment.
But there are many more opportunities for infection because just viewing a WMF image can infect your computer so the risky behaviors can also include:
- Viewing a web page that has a WMF image on it
- Viewing an email message with a WMF image embedded in it for display
- Using the Preview pane in Outlook or Outlook Express to view an email with a WMF image embedded.
- Viewing an image sent to you via an instant message.
- Any other way you can think of to get files onto your computer; newsgroups, CD, floppy, USB key, stork, carrier pigeon, whatever.
- Browsing a folder on your computer that has an infected WMF file in it, presumably the thumbnail view is especially at risk.
Most of the time, web pages and emails use GIF or JPG images and not WMF files.
While we’ve seen no proof of this it seems probable that a WMF image in an Office document (Word, Excel, Powerpoint, Publisher etc) could also infect your computer. However I stress that we’ve not been able to confirm this possibility.
Because just viewing a web page can be a problem it brings a new dimension to ‘phishing’ (all those fake messages from banks and Paypal that try to get you to enter your login details on a fake web site). Now all the baddies have to do is get you to click on a link, view their web page and the trouble begins.
While we’ve listed all the potention sources of the threat, the majority of attacks so far have come from an email with either a link to a web site with an infected image or an image to be displayed in the email itself.
WHAT CAN I DO?
Microsoft says you should be careful of emails from unknown sources which sounds great and it often repeated by media who should know better. Microsoft must know that advice is of limited value.
As we’ve mentioned in our Email Essentials newsletter on many occasions, messages can be ‘spoofed’ so the real sender is faked. Because the FROM address can be ‘farmed’ from the data on an infected computer it’s quite possible for a message to appear to come from someone you know.
Certainly you should make sure that your anti-virus and anti-spyware software is up to date. Use the update facility on a daily basis until this problem is resolved by Microsoft.
Eventually Microsoft will release patches that will stop the exploit and once that happens you can update your copy of Windows. Doubtless there will be wide coverage in the media when that happens and we’ll mention it in our newsletters as well.
Some people are recommending that you disable the Windows library SHIMGVW.DLL but this might not fully protect you.
Windows XP Service Pack 2 and Windows Server 2003 have Data Execution Protection that provides some level of protection. Normally it is only enabled for core Windows programs and services but you can broaden the coverage to all programs. However this many cause programs not to run or behave strangely on your computer. DEP is found at Control Panel | System | Advanced | Performance | Settings | Data Execution Prevention.
You can set Outlook to display only plain text versions of emails (without HTML formatting or embedded images). We’ve talked about this before but include the details below.
HOW TO SWITCH OUTLOOK TO PLAIN TEXT ONLY
From Outlook 2002 SP1 onwards the following registry key will change the way Outlook displays messages:
HKEY_CURRENT_USERSoftwareMicrosoftOffice10.0OutlookOptionsMail
Create a new DWord Value called ReadAsPlain then change the value to 1 then restart Outlook.
All HTML messages (except digitally signed messages) will be displayed in plain text both in the preview pane and when you open the message. Keep in mind that the plain text rendering may look very strange and not in any way like what the sender intended. There is no way to quickly switch from plain text to HTML or vice-versa.
