Skip to main content

Microsoft releases patch for WMF flaw

Vulnerability left PCs open to viruses, spyware

By Marsha Walton




Microsoft Corporation
Computer Security

(CNN) -- Microsoft has released a patch for a vulnerability in some Windows graphics files.

For more than a week, criminal hackers have been exploiting the flaw in Windows Meta File, or WMF.

There is a link to the fix on the Microsoft home page. The "Security Update for WMF Vulnerability" shows users how to download and install the patch, which should protect Windows users from being infected with the malicious code.

About 90 percent of computer users worldwide use some form of the Windows operating system.

The company became aware of the malicious attacks December 27.

What's especially dangerous about the attacks: Your computer could be infected with viruses, spyware or other malicious programs just by viewing a Web page, an e-mail message, or an Instant Message that contains one of the contaminated images.

Computer security experts have been dealing with scores of variations on the attack since it was discovered.

"Nobody knew it was coming," security expert Rick Howard of Counterpane Internet Security said. "There was no security intervention or mitigation for it."

Unlike infamous computer worms and viruses like Blaster, Code Red or I Love You, the WMF attack is not spreading like wildfire across the Internet.

Most of the malicious efforts fit the patterns of recent attacks. They are not designed to earn bragging rights for a brash programmer, but instead are likely tied to theft, fraud and organized crime.

Some of the exploits so far identified are designed to steal passwords. Others install computer code that turns machines into zombies, which can then be controlled remotely to spew spam and viruses.

Microsoft issued its first security advisory on the issue December 28, the day after it became aware of the attacks.

The company created and tested a patch for the problem, and until this morning said it would be released next week as part of its monthly security bulletin.

Although the Microsoft security advisory characterized the attacks as "not widespread," there was an intense focus on the attacks and malicious possibilities across tech Web sites.

In a somewhat unusual development, an unofficial, third-party patch was posted on the Web several days before Microsoft's official fix.

That patch was created by Russian engineer Ilfak Guilfanov, and is available through the SANS Internet Storm Center, link, and other security-related Web sites.

Although Howard said Guilfanov's fix has been tested and is being released by the "good guys," there can be complications, even with official patches.

Something designed to fix one problem, like the WMF exploit, can sometimes wreak havoc on other computer components. Although tech-savvy home users who are aggressive about their security might download and install the unofficial patch with no problems, Howard said the average home user, and big companies with complex computer networks, would do better to use the official Microsoft fix.

Microsoft and computer security companies recommend several safe-computing practices. A few tips:

  • Stay away from unfamiliar Web sites, as they are more likely to host malicious code
  • Ignore links in e-mail messages from unknown sources
  • Install a personal firewall
  • Keep antivirus and antispyware software up to date.
  • "The good news for home users is that most standard antivirus vendors are keeping up to date, and as long as they download the right signature, they'll be OK," Howard said.

    Story Tools
    Subscribe to Time for $1.99 cover
    Top Stories
    Get up-to-the minute news from CNN gives you the latest stories and video from the around the world, with in-depth coverage of U.S. news, politics, entertainment, health, crime, tech and more.
    Top Stories
    Get up-to-the minute news from CNN gives you the latest stories and video from the around the world, with in-depth coverage of U.S. news, politics, entertainment, health, crime, tech and more.
    Search JobsMORE OPTIONS

    © 2007 Cable News Network.
    A Time Warner Company. All Rights Reserved.
    Terms under which this service is provided to you.
    Read our privacy guidelines. Contact us. Site Map.
    Offsite Icon External sites open in new window; not endorsed by
    Pipeline Icon Pay service with live and archived video. Learn more
    Radio News Icon Download audio news  |  RSS Feed Add RSS headlines