Microsoft Confirms Windows Flaw

At

a time when most people are enjoying a holiday break, computer security experts are on high alert. On Wednesday, Microsoft confirmed that it is investigating a new security vulnerability in the Windows graphics-rendering engine—the part of Windows that turns code into pictures.

Attackers can take control of a Windows PC by luring users to visit websites where their browser automatically downloads specially coded image files. The tainted files are saved in the Windows Metafile (WMF) format, but can be labeled as seemingly harmless JPEG and GIF files, the most common type of images found in webpages and e-mails. Researchers say attackers use the entry point to install hidden programs that can launch pop-up ads or steal passwords and other sensitive information.

Microsoft's Dec. 28 security advisory recommends trying several ways to keep your PC safe. Under the heading "Suggested Actions," the advisory gives step-by-step instructions for disabling the Windows Picture and Fax Viewer.

Microsoft is expected to introduce a patch soon, available to all users through Windows Automatic Update. However, the company will not confirm whether or not the patch will be available by January 10, the date of the next scheduled Windows update. "We're investigating the issue aggressively," Mike Reavey, operations manager for Microsoft's Security Response Center, told TIME. Reavey stressed the need to test the safety patch thoroughly before uploading it to users.

Craig Schmugar, virus research manager at McAfee's Anti-Virus Emergency Response Team Labs, says that disabling the Picture and Fax Viewer is a good "roadblock," while users wait for a patch. (The downside is that if you don't have another picture viewer installed, you will have difficulty opening image files.) Schmugar also echoes Microsoft's suggestion that users check that their anti-virus software is up-to-date. McAfee and other anti-virus software makers have traced all known attacks to mitigate damage an intrusion might cause.

Schmugar points out that while the threat is very real, it's contained up to now by the fact that only a small group of websites, well off the beaten path of most surfers, contain the malicious code. "The chances of you going to one of these sites is pretty low," he says, adding, "We're not aware of a mass spamming of this exploit at this time." Still, he cautions, anything could happen. "We'll just have to wait and see."