Tech Shout!

Another vulnerability in Windows Metafile (WMF) was announced by Microsoft on Tuesday. The software giant said that attacker could perform code as the logged-in user. Microsoft has found four ways of exploiting the flaw, however it stressed the latest vulnerability is very restricted in its reach.

Microsoft claimed that only users of Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4 and Internet Explorer 5.5 Service Pack 2 on Windows Millennium are affected by the problem.

An attacker would be able to exploit the flaw by hosting a specially techniqued WMF file on a Web site, convincing a user to open a specially crafted e-mail attachment, persuading a user to click on a link in an e-mail, or by the user viewing specially crafted e-mail in the preview pane of Outlook Express.

There is no way for an attacker to compel a user to visit a malicious Web site, Microsoft said, which means the attacker would have to persuade the user to do so. The same would go for an e-mail based attack as well. The company said it would continue its analysis and provide further guidance if needed.

In an advisory the company said, “Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs”.

As a security preventative measure Microsoft advises users to follow the security procedures of allowing a firewall, applying software updates and installing antivirus software.