Your Windows PC can now be infected with the nastiest malware imaginable just by viewing an image, or just by (say) Google Desktop or Lotus Notes or some other software accessing the image without you even seeing it. Using a recent version of Firefox or Opera is an improvement on IE but does not guarantee safety. Worst of all, this flaw in Microsoft's WMF picture file and fax viewer is a zero-day exploit for which there is no fix, officially.
Clip from F-Secure
Malware is now being distributed from an unknown number of websites, via email (Subject: Happy New Year; Body: picture of 2006; the WMF exploit is in an attachment called HappyNewYear.jpg); and via an MSN Messenger worm (a link to an image that ends with xmas-2006 FUNNY.jpg), as F-Secure explains. Many more will follow.
I published what I hope is the correct fix on the Ask Jack blog on Thursday, which is to unregister the Microsoft dll file that displays the images. Some people find this means they can no longer view JPEG images in XP. If so, download an alternative viewer such as IrfanView. (However, avoid using this or any other program to view .wmf files.)
Ilfak Guilfanov has written a temporary fix for Windows XP SP2 which may work on some other versions. Again, see the Ask Jack blog for details.
I've been tracking this thing for four days now and in real terms, it's still pretty small. However, I can certainly imagine that several thousand professional malware writers -- real criminals, not just script kiddies and spammers -- are now working full time on exploits. And when hundreds of millions of Windows PCs are switched on after the New Year holiday, every single one will be vulnerable.
Update: As F-Secure points out today [Monday], the WMF security hole is 15 years old -- it goes back to Windows 3.0 in 1990 -- and "probably affects more computers than any other security vulnerability, ever".
A global disaster is not inevitable, but it is conceivable.
