Don't ignore newly found booby trap in Windows

When you spend a week on a real vacation - far away, in the sunshine, where the biggest news on TV is a California cop attacked by a pack of Chihuahuas - you begin to think that nothing really happened while you were gone.

But something did indeed happen between Christmas and New Year's, and thanks to the holiday lull, you probably didn't hear about it, either.


So listen up: There's a newly discovered and particularly nasty security flaw in all versions of Microsoft Windows dating back to Windows '98. And for the moment, there's nothing Microsoft can do to help you - so you're on your own.

The flaw allows programmers to execute malicious code on your computer when you view a booby-trapped graphic known as a Windows Metafile. Once you've done that, the hacker can literally take over your PC. He can steal critical information, download additional spyware or turn the machine into a "zombie" that attacks other systems and delivers millions of spam e-mails.


Windows security flaws are hardly new, but this one is easy to trip over and can get you into real trouble, fast. Microsoft announced it Dec. 28, which through no fault of Bill Gates is a time when lots of people are not paying attention.

Unfortunately, the company won't have a security patch available until Tuesday - its regular monthly update. That's annoying, because the cure can't be that hard to put together.

Until then, you'll just have to be very careful - and update your anti-virus software as soon as possible.

How does this little bug work? According to Windows historians and security experts, the flaw dates back to the early 1990s, when Microsoft was more interested in churning out features for its fledgling Windows system than in nailing shut the security doors. This is understandable - there wasn't a Web to worry about in those days.

The company developed a graphics format called the Windows Metafile, which allowed images to be enlarged or reduced in size without affecting the quality, much like the PostScript files adopted by Apple at the same time.

Employed by illustrators and graphic designers, Metafiles have also been a popular format for the clip art that accompanies Microsoft Word, Publisher, PowerPoint, Excel and other Office products. They're also common in greeting-card software and other consumer-based drawing programs.

Windows Metafiles usually use the extension ".WMF" at the end of their file names. But not always - more about that later.

To make it easier for users to cancel print jobs, Microsoft programmers gave Metafiles the authority to run programs on your PC. This would be an absolute no-no in today's security-conscious world, but it wasn't then, and the vulnerability has persisted for years. In fact, it's hard to say why it took so long for malicious hackers to exploit it.


But exploit they did. Today hackers are busy spreading booby-trapped images that are easily triggered by the software behind the Windows Picture and Fax viewer, which Windows XP uses to view all types of graphic files.

The vulnerability extends to older versions of Windows, as well as to recent versions of Lotus Notes, whose e-mail software - until now - has been less vulnerable to viruses, worms and other bad guys than Microsoft's.

If a hacker can get you to visit a Web site that displays an infected image, or to open an infected image contained in an e-mail attachment, you're done for.

Some of the files contain "Trojan horse" programs that pop up windows informing you that you've been infected, and asking for credit-card information. Some download even more dangerous programs from remote servers.

What makes these attacks particularly insidious is the fact that there's no way to distinguish a Windows Metafile by looking at the file name.

Windows does use three-letter extensions to identify different types of files (JPG for photos, DOC for Word documents, HTM for Web pages, WMF for Metafiles and so on). But that's mostly a convention to help you identify different kinds of documents by sight.


When you double-click on a graphics file, Windows actually examines its structure and then figures out which program it will use to open the image. So, if a malicious programmer puts a JPG extension on a Metafile, Windows will recognize it for what it is and open it - thereby executing the malicious code.

So what can you do? Until Microsoft releases its patch Tuesday, surf the Web very carefully.

Microsoft's security site explains the problem reasonably well. Its Web address is: Read that first.

Next, if you have anti-virus software, update its virus "signature" files immediately by visiting the publisher's Web site. Microsoft says the major anti-virus software vendors - including Symantec (Norton), Computer Associates, McAfee, F-Secure and Panda - have updates that protect against the WMF vulnerability.

If you don't have anti-virus software, get some now. Buy it online or in a store, and make sure you download the latest updates.

Microsoft says the Beta version of its anti-spyware program can also detect the type of intrusion these poisoned graphics files generate. It's available free of charge under Security Tools and Tips at


Finally, be alert. This kind of attack accelerates through "social engineering," a hacker's term for persuading you to do something you shouldn't. So don't open any attachment in an e-mail, unless you're absolutely sure what it is and who sent it. And that means absolutely. If in doubt, chuck it out.

Until the Metafile update is available, be careful about the Web sites you visit. Stick with the tried-and-true. Don't click on any link from an e-mail - even if the address appears to be clear from the link itself.

Hackers can disguise the true destination of a link. That's how the operators of phishing sites get you to visit them and give up your credit-card or bank passwords.

Unfortunately, hackers are seeding infected files on legitimate Web sites, too. If your computer suddenly starts acting strangely - particularly if it pops up a screen telling you that you're infected with spyware or adware - it may be time to stop browsing, or at least make your next stop a good anti-virus site.

And make sure you update Windows on Tuesday. If your PC doesn't automatically update itself, click on the Start button and choose Windows Update from the pop-up menu. Don't put it off - this one's too important.