Microsoft WMF vulnerability exploited in over 200 different attacks

Sophos Press Release

Microsoft flaw allows WMF graphic files to run malicious code

Updated 5 January 2006 to include information about fix from Microsoft

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have reported analysing over 200 different attacks exploiting a serious Microsoft security hole in the way Windows computers handle WMF graphic files.

Microsoft confirmed details of the vulnerability in late December 2005, which can allow remote hackers to install and run malicious code on Windows computers. Already Sophos, which automatically updated customers with the ability to detect malware using the exploit on 29 December, has seen hackers use over 200 different methods to attack computers in this way.

"Microsoft originally said it would release a fix for the problem as part of its regular patch cycle on Tuesday 10 January. The reason for the delay was explained by the software giant as being because it needed more time to properly test the patch to ensure it didn't cause unanticipated problems," said Graham Cluley, senior technology consultant for Sophos. "We have seen over 200 differently crafted attempts to infect computers using the WMF exploit, but as yet none are believed to be widespread. Companies would be sensible to ensure their anti-virus and anti-spam software is automatically updating itself to provide a higher level of protection for their users."

Security researcher Ilfak Guilfanov set up a website which contains an unofficial patch for the problem, for computer users who did not wish to wait for Microsoft to release its fix.

"In our testing we have found no problems with Guilfanov's fix for Microsoft's WMF vulnerability, and it does prevent the exploits from working," continued Cluley. "However, companies will now be able to use the official patch from Microsoft rather than rely upon a third party security patch."

Sophos recommends companies protect their email with a consolidated solution to thwart the virus and spam threats and secure their desktops and servers with automatically updated anti-virus protection, the latest security patches, and properly configured firewalls.

More than 100 million users in 150 countries rely on Sophos’ complete security solutions as the best protection against complex threats and data loss. Simple to deploy, manage, and use, Sophos’ award-winning encryption, endpoint security, web, email, mobile and network security solutions are backed by SophosLabs - a global network of threat intelligence centers. Sophos is headquartered in Oxford, U.K., and is publicly traded on the London Stock Exchange under the symbol “SOPH.” More information is available at