This has been getting a bit of attention lately on the Interweb. It's a serious flaw in the way WMF (metafiles) from websites are handled (from images, as I understand it). There are apparently already 50 known exploits in the wild, and the number is sure to grow.

Link to the Microsoft Security Advisory on this issue
http://www.microsoft.com/technet/sec...ry/912840.mspx

The "suggested actions" from MS may not be enough, however. A recent (i.e., 1 January) special episode of the Security Now podcast (with Steve Gibson and Leo Laporte) (download here http://aolradio.podcast.aol.com/sn/SN-020SE.mp3) points to a fix offered here: http://www.hexblog.com/

I've installed and seems to be fine (i.e., no system instability).

The problem with Microsoft's workaround is that it impairs Windows functionality. I've downloaded his patch and will be installing it as soon as some background operations complete and a reboot is acceptable.

This is exactly why I use Firefox and Thunderbird instead of Internet Explorer and Outlook.

Take a look at this article from Popular Science

Good for you. But this particular vulnerability is browser-independent, so Firefox won't do you any good in this case.

FireFox/Mozilla/Netscape do not support WMF-format images in the 1st place (nor there is any need for any browser to support them), so they would not be affected by the vulnerability in question.

Um, your system will be affected if you decide to actually OPEN them, regardless of the browser you use to fetch them, or email client through which you receive them.

Actually, no. If you carefully [re-]read the Microsoft's bulletin for this issue (using the link above), you will see that you don't actually have to open the WMF file -- all you have to do is use MSIE to visit a web page (HTML) that contains an embedded WMF image. If you use any other browser to visit the same page, nothing is gonna happen, because those browsers do not support WMF images.

Actually, Yes. In Firefox, you get a broken-image display when a WMF file is used in an IMG tag; if you right-click on the broken-image icon and select "view image", Firefox will attempt to open it using whatever application is associated with WMF files.

And if you receive an infected WMF file as an attachment to an email and elect to open it, regardless of email client, you may also become infected.

The issue is with a DLL that is used by multiple applications. MSIE uses it to render WMF files used in IMG links transparently to the end-user. However, it's very easy to open these files regardless; until this security bulletin was created, most people assumed that WMF files were probably benign.

The use of alternative browsers and email clients often lures the end-user into a false sense of security. I'm simply pointing out that they're not cure-alls . . . you can still easily get into trouble.

There is a huge difference between merely visiting a website, and downloading and then opening/executing a file.

Once again, this vulnerability only affects the "Graphics Rendering Engine in Microsoft Windows", which is used by the MSIE browser, and which is not used by Firefox/Mozilla/Netscape. The fact that other Microsoft applications (like the Windows Picture and Fax Viewer, which also uses the problematic DLL) are also affected is not really relevant.

I agree, that is like saying that Firefox is vulnerable to all kinds of trojans IF YOU RIGHT CLICK AND OPEN THEM...

Firefox is perfectly safe, the problem with IE is that it renders them through the vulnerable engine without any user interaction.

Yes, and MSIE is not involved in any way in this action, nor is the option actually labeled "Open." Right-click on any image in Firefox and the option for "View" is present; this will cause Firefox to invoke the associated application for viewing. What's so hard to understand about this? Haven't you ever right-clicked on what appeared to be a broken image link in an attempt to view it?

Generally speaking, Firefox is only safe as long as its unknown vulnerabilities remain unknown. In this case, a small amount of additional effort is required to infect a computer with a trojan WMF. While I agree that it's less likely for someone to right-click and view what appears to be a broken image, it's certainly not outside the realm of possibility. And a WMF file as an email attachment is just as much a problem . . . as I said, until this advisory, they were considered innocuous files and unlikely to trigger a user's defenses.

It's also worth noting that there is at least one popular extension for Firefox that will display the current page in MSIE. It's primarily used in cases where the page is not HTML-compliant. If a page containing a trojan WMF is rendered incorrectly in Firefox and the user elects to view it in MSIE, boom, he's infected.

I use Firefox almost exclusively, and my email client is Thunderbird. But I'm not under any illusions regarding my computer's safety and security on the internet, and I'm of the opinion that brushing off the WMF issue as MSIE-specific is a mistake. Any application that displays a WMF file via Shimgvw.dll (Windows Picture and Fax Viewer) could trigger infection.

It's possible that the WMFs will end up in Firefox's cache regardless. In that case, indexing programs (like Google Desktop) will open the file to get metadata from it, and trigger it.

The bug is not actually in Shimgvw.dll, but unregistering that will stop the automatic rendering of WMFs in most cases. The actual bug is in the design of the WMF format. There's a GDI function that's intended to be called only by an interactive program to provide an abort to a print operation. This can be included in a metafile, and will induce Windows to call code embeded in the metafile. Disabling this will require a fix to GDI32.DLL.

Uh, no.

I assume you mean that it won't be cached by Firefox? The Google Desktop problem has been demonstrated.