Trojans attack unpatched Microsoft vulnerability

WMF problem potentially affects every version of Windows

Exploit code is appearing for an unpatched vulnerability in Microsoft's Windows operating system, but users will have to wait another eight days before their computers will be safe.

The problem lies in the system for handling Windows Meta Files (WMF) and was discovered on 27 December. Exploit code started to appear shortly afterwards and administrators are now being urged to block all WMF files for the time being.

"Microsoft is aware of the public release of detailed exploit code that could allow an attacker to execute arbitrary code in the security context of the logged-on user, when such user is visiting a website which contains a specially crafted WMF image," said the company in a statement.

"An attacker would have no way of forcing users to visit a malicious website, but would have to persuade them to visit the site typically by getting them to click a link that takes them to the attacker's site."

The statement added that Microsoft engineers devised a patch within days of the discovery and will be releasing it on 10 January as part of the company's regular patch releases.

Microsoft highlighted some possible workarounds in a security advisory, such as updating antivirus software, and said that users of its OneCare system are protected. 

The software giant also advised users not to open unsolicited emails and to avoid visiting unknown websites.

Mikko Hyppönen, chief research officer at security firm F-Secure, warned that this is one of the most wide-ranging Microsoft problems yet seen, potentially affecting every version of Windows.

"This is not really a bug, it's just bad design. When Windows Metafiles were designed in the late 1980s, a feature was included that allowed the image files to contain actual code," he said in a blog entry. 

"This code would be executed via a call-back in special situations. This was not a bug; this was something which was needed at the time."

Hyppönen explained that the code was needed to stop print runs if they were cancelled mid-job. This means that other vulnerabilities in the WMF system are likely, and that every version of Windows is potentially affected.

Trojan infected emails have already been discovered, as have websites containing the code. Internet monitoring firm Websense has a collection of screenshots of infected websites here.