A zero-day vulnerability in the Windows Metafile (WMF) image format was disclosed on 28 December. The vulnerability is being actively exploited in the wild; specific malicious WMF files are being distributed through compromised websites and email; Microsoft has yet to ship a patch.
This is a short operational post — the situation is still developing.
What is happening
The technical mechanism: a malformed WMF file triggers code execution when Windows processes the image. The exploitation requires only that the user view a malicious WMF — preview-pane processing, browser image-rendering, document-embedded image handling — all are potential vectors.
The vulnerability affects essentially all current Windows versions. Windows XP, Windows Server 2003, Windows 2000 — all are vulnerable. The exploitation is reliable; the working code is publicly available; specific malware is using the vulnerability to install itself.
This is functionally similar to the JPEG vulnerability MS04-028 from 2004. Image-handling code with insufficient input validation; broad attack surface; passive exploitation through image viewing.
What Microsoft has said
Microsoft published an advisory acknowledging the vulnerability on 28 December. The advisory describes the issue, lists affected products, and provides workarounds. No patch has shipped; the advisory says one is in development; no specific timeline has been committed.
The workarounds are useful but bounded:
- Unregistering the affected DLL (
shimgvw.dll) eliminates the vulnerability but breaks specific image-display functionality. - Specific antivirus signatures catch known malicious WMF files; they will lag behind new variants.
- Network filtering for WMF attachments at mail relays reduces exposure for specific delivery channels.
What is unusual
Two things make this incident structurally noteworthy.
A third-party patch is circulating. Ilfak Guilfanov (the principal developer of the IDA Pro disassembler) has published an unofficial patch that addresses the vulnerability without breaking image-display functionality. The patch is being distributed through trusted security channels; specific operators are deploying it ahead of the official Microsoft patch.
The third-party patch is structurally interesting. The community has filled a gap that the vendor has not yet addressed; the trust model around third-party patching is being tested in real time.
Active exploitation is widespread before patch availability. Specific reports describe hundreds of websites distributing malicious WMF files. Specific phishing campaigns are using WMF attachments. The exploitation is not theoretical; it is operational at scale.
The cumulative timing is bad. Zero-day public disclosure during the holiday week, before vendor response, with active exploitation. Operators on holiday rotation are operating with reduced staffing; the response capacity is bounded.
What operators should do
For organisations running Windows infrastructure:
Apply Guilfanov's third-party patch on critical systems. The patch has been reviewed by multiple security researchers; the trust signal is strong. The investment is bounded; the protection is meaningful until the official patch ships.
Aggressive mail filtering for image attachments. The trade-off (legitimate attachments inconvenienced) is acceptable given the threat profile.
User communication about the vulnerability. Users should know about the issue; specific guidance about not opening unexpected attachments and not visiting unfamiliar sites is worth communicating.
Web-filtering for known malicious sites. Specific URLs distributing malicious WMF files are documented; specific operators can block access to them.
For organisations on holiday rotation:
The recall pattern matters. This is the kind of incident where specific people need to be reached during their break. Disrupting their holiday is a real cost; not addressing the vulnerability is a worse cost.
Document the timeline. The 2005-end and 2006-start period will have substantial cumulative exposure. Documentation of what was done when supports the post-incident review.
A small note on the disclosure pattern
The disclosure of this vulnerability appears to have been coordinated badly. Specific researchers had advance knowledge; the public disclosure came before vendor response was ready; the active exploitation began essentially simultaneously with the public disclosure.
The structural questions are worth thinking about:
- Should the public disclosure have waited for vendor patches?
- Was the coordinated-disclosure attempt unsuccessful, or was there no attempt?
- What is the right disclosure pattern for vulnerabilities under active exploitation when the vendor response is delayed?
I do not have specific knowledge of the disclosure history for this case. The general questions remain open across multiple recent disclosure events.
For my own writing: more on the disclosure trajectory once the dust settles. The current incident is too active for retrospective analysis; the specific events will inform subsequent writing.
What I am doing on my own infrastructure
For my own setup: minimal Windows exposure; bounded direct risk. The Snort sensor has been updated with rules for known WMF exploitation patterns; the structured-log analysis is watching for the patterns.
For friends on Windows: a brief note about the vulnerability and about Guilfanov's patch. The conversation is preventive; the cumulative effect is bounded but real.
For client work: a note circulated on 29 December describing the vulnerability and recommended response. Specific clients have responded by the standard; some are deferring to early 2006.
What I expect
Three predictions for early 2006:
Microsoft ships an official patch within two weeks. 85% probability, deadline 13 January 2006. The pressure is substantial; the engineering work is bounded; the Patch Tuesday on 10 January is a natural target.
Significant cumulative compromise occurs before the patch ships. 95% probability. The exploitation is active; the patch is days away; the cumulative population that will be compromised is non-trivial.
The third-party patch precedent is invoked in subsequent disclosure conversations. 80% probability. Guilfanov's patch will be referenced in discussions about vendor response timelines for years.
For my own continued writing: tracking the resolution of this incident, the post-incident review, and the structural lessons about disclosure timing.
More in time. Happy new year, despite this. The operational rhythm continues.