Windows Metafile Vulnerability - Propagation and Infection

Propagation and Infection

Computers can be affected via the spread of infected e-mails which carry the hacked WMF file as an attachment. Infection may also result from:

• Viewing a website in a web browser that automatically opens WMF files, in which case any potential malicious code may be automatically downloaded and opened. Internet Explorer, the default Web browser for all versions of Microsoft Windows since 1996, does this.
• Previewing an infected file in Windows Explorer.
• Viewing an infected image file using some vulnerable image-viewing programs.
• Previewing or opening infected emails in older versions of Microsoft Outlook and Outlook Express.
• Indexing a hard disk containing an infected file with Google Desktop.
• Clicking on a link through an instant messaging program such as Windows Live Messenger, AOL Instant Messenger (AIM) or Yahoo! Messenger.

Other methods may also be used to propagate infection. Because the problem is within the operating system, using non-Microsoft browsers such as Firefox or Opera does not provide complete protection. Users are typically prompted to download and view a malicious file, infecting the computer. Infected files may be downloaded automatically, which opens the possibility for infection by disk indexing or accidental previewing.

According to assessments from the McAfee antivirus company, the vulnerability has been used to propagate the Bifrost backdoor trojan horse. Other forms of malware have also exploited the vulnerability to deliver various malicious payloads.

McAfee claims that the first generation of such exploits had been encountered by more than 6% of their customer base by 31 December 2005.