Somehow in the way it renders graphics, code embedded in the graphic image itself can be activated just by viewing it.

Unlike most attacks, which require victims to download or execute a suspect file, the new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.[source (http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html)]

Tech News World (http://www.technewsworld.com/story/48091.html) has more info, it seems to be related to Windows metafiles (WMF). IE open it automatically; FF & Opera users are asked if they want to open the WMF file first.

Heh. What else is new...

[...]it seems to be related to Windows metafiles (WMF). IE open it automatically; FF & Opera users are asked if they want to open the WMF file first.
I think it may be worse.

EWeek: Another WMF (Windows Major Foul-Up) (http://www.eweek.com/article2/0,1895,1906513,00.asp)

As a result, it is surprisingly easy to get hit with this attack, even if you are being careful. I've heard stories of experienced researchers being hit while researching the attack.

One way this might have happened, and it's a good example of how easy it is, is through Google Desktop. F-Secure has demonstrated that Google Desktop users can become infected simply by downloading an infected file. When Google Desktop indexes the file it launches the exploit.
Apparently a file doesn't have to be explicitly opened for display, but a trusted tool might open a file to see what the file's contents are.

A good FAQ: SANS WMF FAQ (http://isc.sans.org/diary.php?storyid=994).

Who said that WMF files are images. I could also say that there is potentially an issue with .BAT or .COM or .EXE files. WMF are primarily used for images because any windows system may display them, but they are directives, commands, etc, to be able to send multiple types of information between computers.

If you got a shoebox in the mail, would you open it? Maybe only if it came from someone that you ordered shoes from.

same goes for .scr files. These are per definition .exe files, so they can be any (virus) program. Mails with .scr's, even those appearing to be from relatives, get deleted by me.

Who said that WMF files are images.
Most of the sites I was reading up on it.

Tech News Windows metafiles are image files
The Sans site 01101001 linked to: The WMF vulnerability uses images (WMF images) to execute arbitrary code.
United States Computer Emergency Readiness Team (http://www.kb.cert.org/vuls/id/181038) Microsoft Windows is vulnerable to remote code execution via an error in handling files using the Windows Metafile image format

Edit due to wrong button:
I did read the rest of the post. My understanding of the issue it that you merely have to go to the site the WMF file, usually shown as an image is, on. There is no attachment to screen for, the browser just needs to load up the image and it'll execute the full command associated with the file.

!!!

Very Scary...

And from MS (http://support.microsoft.com/kb/81497/en-us).
If you can't see that...
A metafile is a mechanism for storing a graphics device interface (GDI) "picture" -- a series of GDI functions that are used to draw an image. A metafile consists of a series of records, each representing a GDI function. When the metafile is played back, each stored function is executed using its recorded parameters.
So it's not an image, it's a program that says how to draw the picture. So "WMF Image" is the interpretation of the WMF program.

I can see that, I understand, a but more fuller I'll admit, what a metafile is (not being a programmer, I can't fully appreciate its features true).

However, getting back to the topic, maybe you can explain it a bit better then. As you said, "If you got a shoebox in the mail, would you open it? Maybe only if it came from someone that you ordered shoes from." However, from what I've been reading, you can't tell it's a shoebox until it's too late. In addition, it not limited to email anyways so there's no "just don't open attachments."

The issue with this seems the be that it doesn't require you to open anything more than a webpage. You can't visually scan for attachments and delete any files that have them or aren't from people you trust.

If the image (file, whatever it should be called) is part of a website that you happen to visit, from what I understand, IE will automatically open it before you even get a chance to say "don't open that shoebox" beacause IE treats WMF files like any other "safe" filetypes like jpgs and gifs.

And from f-secure (http://www.f-secure.com/weblog/archives/archive-122005.html#00000753), FF won't even keep you safe if you have things like Google Toolbar installed:
You can get burned even while working in a DOS box! This happened on one of our test machines where we simply used the WGET command-line tool to download a malicious WMF file. That's it, it was enough to download the file. So how on earth did it have a chance to execute?

The test machine had Google Desktop installed. It seems that Google Desktop creates an index of the metadata of all images too, and it issues an API call to the vulnerable Windows component SHIMGVW.DLL to extract this info. This is enough to invoke the exploit and infect the machine.

Google toolbar isn't an issue for Firefox, last time I checked you can't install the toolbar in FF, and there isn't any reason to, as FF comes with all of the toolbar's features.

Sheez another one, it seems I am going to have a lot of work this week :sad:

Ah, oops, I hadn't tried to get it so I winged that example.

Google toolbar isn't an issue for Firefox, last time I checked you can't install the toolbar in FF, and there isn't any reason to, as FF comes with all of the toolbar's features.

You can now and FF doesn't have pagerank

snip
However, getting back to the topic, maybe you can explain it a bit better then. As you said, "If you got a shoebox in the mail, would you open it? Maybe only if it came from someone that you ordered shoes from." However, from what I've been reading, you can't tell it's a shoebox until it's too late. In addition, it not limited to email anyways so there's no "just don't open attachments."

I guess it's a matter of how you get it. I was more thinking of mail attachments, but yes, other programs automatically excecute them thinking that they are inoccuous graphics.

This particular exploit was obvious in hindsight; basically WMF files are a set of vector drawing instructions that can be sent directly to the windows graphics system (GDI). Typical WMFs only use a subset of the full GDI command set, mostly because certain commands do not make sense from an image file. However, the GDI code still allows these commands from metafiles. One of the commands is SetAbortProc, which basically allows an error handling routine to be called if something goes wrong when drawing; it has no purpose in a WMF file, but apparently Microsoft's GDI code executes it anyway. The exploit apparently calls this function with a pointer designed to execute malicious code embedded somewhere else in the metafile data. I can see how this exploit was missed; Microsoft probably checked all of the documented WMF functions for vulnerabilities, but didn't think to check for GDI commands that are not normally used in WMF files (it still is an inexcusable lapse, IMHO, but what can we do? We’re just lucky nobody exploited it before now, given the hole has been there since Windows 3.0).

Fortunately, the functions called to display images in e-mail and web browser applications usually do not support WMF; they usually invoke the registered application for WMFs (windows fax/image viewer), but only if the user specifically opens the file. I used to be ticked off that WMF was not automatically recognized by IE; now I'm glad it isn't!

Google Desktop has been singled out (probably unfairly, given that this is really Microsoft's fault) because when it indexes WMFs it apparently executes the malicious code (it is probably going through the metafile records looking for text). Other index programs may have the same problem.

I just hope Microsoft's fix doesn't do more harm than good; they may decide to block all WMFs, which will break several applications I have that use metafiles extensively. I'm still mad about their "solution" to an earlier problem with malicious programs that automatically send e-mails; they opted to completely disable the CMC API, forcing me to rewrite several applications to use MAPI. (pardon the acronyms, I'm ranting)

The Fix is already available Here (http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx). I installed it last night, so far nothing seems broken..

WMF files can also be streaming video.

The Fix is already available Here (http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx). I installed it last night, so far nothing seems broken..Thanks for the info and link. The last thing I read about this on the Microsloth website was that the fix wouldn't be available until Jan. 16.

Installed and seems to be running OK so far. If not I probably wouldn't be posting this.

http://www.cosgan.de/images/smilie/verschiedene/a065.gif

If you use AVG Anti-virus, they have also an update for this virus.

If you've got automatic updates you should already have the fix installed.

Well that makes me feel much better, I was looking at a webpage once and the graphics exploded all the way down to code! It was kinda weird but I whistled along and went just read the code itself;)

If I had a bottle of Windexzilla, I would clean up such language...