December 28, 2005
A serious vulnerability in Windows Fax and Picture Viewer can allow remote attackers to use .WMF image files to gain control of your system. Windows XP (SP1 and SP2), Windows 2003, Windows 200 SP4, Windows ME, and Windows 98 users are all equally vulnerable, even if fully patched as of the time of discovery.
The WMF Image Handling Exploit is made possible by a vulnerabilty in shimgvw.dll, a dynamic link library file that is the core component of Windows Fax and Picture Viewer (WFPV). Even if other image programs have been assigned to handle .WMF files, the WMF Image Handling Exploit can still be rendered. The vulnerability is a Windows flaw, not a browser flaw, so it impacts all users of the aforementioned operating system, including Firefox users.
The WMF Image Handling Exploit can be rendered in numerous ways, via websites, email, and IM. If an exploited WMF file is on the system, the exploit will render simply by browsing the directory it is in - the file does not have to be opened. Likewise, it will render automatically simply by visiting a website hosting one of the malicious images, opening a picture received in email (automatically rendered if you read email in HTML instead of plain text), and clicking a link to an exploited image file in email or IM.
Though the WMF Image Handling Exploit involves .WMF files, a .WMF renamed to a different image extension, i.e. TIF, JPG, ICO, etc., will still be recognized by Windows as a WMF file and the exploit will be rendered.
Immediately following discovery of the WMF Image Handling Exploit, several websites were also discovered exploiting the vulnerability to foist adware and spyware onto unsuspecting visitors' systems.