WMF Handling Vulnerability Warning

Microsoft has recently released a security advisory with regards to vulnerability in how Windows handles specially-crafted Windows Metafile images using Windows Picture and Fax Viewer.

This vulnerability occurs when Windows opens a specially-crafted Windows Metafile (WMF) image that could allow arbitrary code to be executed. Microsoft’s security bulletin is here.

This is a zero-day exploit and it has the potential to be abused. Zero-day exploits as such that a vulnerability in a software is discovered, and an exploit code to exploit that vulnerability has been released hours after the vulnerability has been discovered. Malware authors can exploit this vulnerability, and potentially many users can be affected, since the exploit code is released even before the software maker has released a patch. This may have a very dangerous consequence.

Currently, there is no patch for this vulnerability.

Already, several malwares have been discovered specifically exploiting the said vulnerability. Here is Trend Micro’s descriptions for TROJ_NASCENE.A and TROJ_WMFCRASH.A. Here is Symantec’s heuristic detection for the said vulnerability.

Also, as a workaround, here is Trend Micro’s suggestion:

1. Click Start>Settings>Control Panel. Double-click on Internet Options.
2. In the Security tab, click on the Default Level button.
3. Move the slider to HIGH.
4. Click Apply, then Ok.