WMF attacks on the rise

Malicious software that exploits an unpatched vulnerability in Microsoft (Profile, Products, Articles) Corp.'s Windows operating system is now the most widely reported threat on the Internet, though it does not appear to be widely infecting corporate customers, according to McAfee (Profile, Products, Articles) Inc.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

In late December, hackers posted code that took advantage of the way Windows processes graphics files in the WMF (Windows Metafile) format, and that software is now being distributed in easy-to-use tools for creating malicious software that can be used to take over an unprotected computer, said Craig Schmugar, virus research manager with McAfee.

Although most security vendors, including McAfee, already protect their customers from this malicious software, an undetermined number of users are still at risk. Microsoft has said it plans to fix the underlying problem in a security patch, scheduled for release next Tuesday, giving attackers another week in which to strike.

About seven percent of McAfee users have been exposed to malicious files that exploit the WMF vulnerability, which is the most-reported vulnerability among McAfee customers right now, Schmugar said.

ScanSafe Services LLC reports that about 15 percent of its customers are being exposed to WMF malware, according to Dan Nadir, vice president of product strategy with the Web browsing security company. "It looks like it's being spread either through e-mail images or though ads that are on sites that users are browsing," Nadir said. "There's a lot of variation. It looks like there's more than 50 unique variations of this threat that we've seen."

Instant messages that contain links to maliciously encoded WMF images are also being used to spread the malware, according to security researchers.

Neither Schmugar nor Nadir could say how many PCs have actually been infected by the vulnerability, but experts said it did not appear to be disrupting corporate users, who are typically protected by antivirus software.

"As far as we're concerned, the threat is being vastly overblown," said Russ Cooper, editor of the NTBugtraq mailing list and a scientist at security vendor Cybertrust Inc. "It's not being massively exploited."

Just two months ago, Microsoft fixed three other problems with the way Windows processes WMF images, and those vulnerabilities were not widely used with any success, Cooper said. "We've had image rendering problems in the base operating system for a long time, and still nothing massive has happened."