Here is yet another confirmation that nobody should still be using Internet Explorer to browse the web in windows. The .wmf file vulnerability has been around for a few months now, and has mostly only been pervasive in the seedier corners of the internet (I often run into it on bittorrent trackers, warez and serial sites).
The basic gist of this vulnerability is that if IE is presented a .wmf file in a web page, your computer will open it. There is a vulnerability in the application that handles .wmf files that enables an attacker to embed code in the .wmf file and pretty much own your computer. You’ll run into it online with ads that will automatically use the vulnerability to attempt to install adware and spyware on your system. Of course, sane browsers, such as Opera, Firefox, Mozilla, whatever, won’t open the file automatically, and will instead present you with a dialog box to save it. And if you’re not using a Windows PC, .wmf files don’t mean anything anyway, so it’s just an annoyance. Microsoft has relased a patch to “fix” this, but apparently a lot of people out there have never applied it.
The Washington Post’s “Security Fix” today prints the disturbing revelation that the malware has made it to the mainstream. Unscrupulous ad companies are selling ads embedded with this vulnerability to major web sites such as Webshots, and Myspace (which is one of the most visited sites on the internet). So all those people saying to themselves, “Oh, I don’t go to strange places on the internet, so I don’t need to worry about all of these Windows security problems” now also have a bulls-eye painted on them. And if you’re saying to yourself right now, “Oh I patch my Windows regularly, there’s no reason to stop using IE. ” what will happen when the next vulnerability is found?