Microsoft Windows metafiles are a vector for computer viruses
Monday, January 2, 2006
Microsoft Windows metafiles have been discovered to be a vector for computer viruses, as they are treated as image files, but can execute machine code. Windows metafiles often use the extension .wmf files, but they may also execute if their extension is .jpeg, .png or any other common image extension.
This vulnerability affects any Windows software which displays images, including instant messenger software, email clients, and web browsers. Firefox reduces the vulnerability by asking a user before executing Windows metafiles, but metafiles masquerading as another format will still be executed automatically by the operating system.
Microsoft has not yet issued a patch for the vulnerability, prompting Ilfak Guilfanov to release an unofficial patch. Microsoft's security advisory recommends unregistering shimgvw.dll to disable handling of Windows MetaFiles. Critics point out that shimgvw.dll could become re-registered by malicious processes or other installations. They also suggest that malicious Windows Metafiles could merely remain "dormant" until shimgvw.dll is re-registered.
The exploit has been used to attack online forums which allow embedding of image files via <img> tags, prompting some gaming forums to disable <img> tags . Any site accepting image media upload, such as avatars, will also be vulnerable if this site accepts .wmf files, possibly masquerading as another media file format.
The McAfee antivirus company said the WMF vulnerability is being exploited to drop over 30 variants of the Bifrose backdoor trojan horse, and exploitation by other malware is likely. McAfee estimates the first generation of such exploits had infected more than 6% of their customer base by 31 December 2005.
"The WMF vulnerability probably affects more computers than any other security vulnerability, ever," said Mikko of F-Secure. 
- F-secure's coverage of the vulnerability
- Viruslist.com's anaysis of the IM worm.
- Viruslist.com's initial report
- Microsoft Security Advisory (912840)
- US-CERT Vulnerability Note VU#181038
- Internet Storm Center WMF FAQ
- Brian Krebs. "Exploit Released for Unpatched Windows Flaw" — , December 28, 2005