ComputersIT SecurityLinux

Windows WMF Security Vulnerability

There is a new security vulnerability that has been found in Microsoft Windows. Actually this is not really a new vulnerability as this affects just about every single computer that is running Windows from Windows 3.0 onwards (e.g. about 1990), but it’s only recently been recognised as a vulnerability. There are now exploits out on the Internet.

The vulnerability is in Windows Meta Files, which is a graphics format, files normally end in .wmf.

An interesting fact, is that this is not a bug in the software, but a insecure design. The file is designed to allow you to run code. One of the problems with the Windows operating system, is that it was never designed to be secure. When this "feature" was first added it was not expected that computers would connect around the world via a global Internet. There were still viruses around then, but they were passed around using floppy disks.

This won’t be fixed for a few days, but what concerns me is the Microsoft statement on the vulnerability which states:
"Customers who follow safe browsing best practices are not likely to be compromised by any exploitation of the WMF vulnerability. Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code."
I’m a little unsure about what a safe browsing practice is. Perhaps if you only have a few websites you only ever visit then you should be OK, but doesn’t anyone at Microsoft use the Internet to research anything?
I don’t go to known unsafe websites, but if I’m looking for something I will search for it and click onto sites that I’ve never been to before. I don’t have any kind of magic device that allows me to check the website before visiting it. I’m sure many people would agree that although they don’t intentionally visit any "dodgy" websites they still end up with annoying spyware on their computers.

If you have recently updated virus protection software, then it should help protect you from this vulnerability, if not then you can download AVG Anti-Virus for free, or search Google for alternative software:

I also notice that if you use the Firefox browser then it will prompt what to do with the image, and as long as you cancel at this point you should be OK, although the problem is with the operating system and not the browser.