Microsoft released several software patches on Wednesday for a bug that could let seemingly harmless image files open PCs to hackers.
Independent security researchers discovered the flaw and alerted the software company to its existence in March 2005. It affects most versions of Microsoft Windows and received the company鈥檚 highest alert rating of 鈥渃ritical鈥.
The bug allows modified image files to bypass the security of the Windows operating system, potentially providing remote access to an outsider. Images saved in the Windows Metafile and Enhanced Metafile forms 鈥 with the extensions .wmf and .emf 鈥 could be converted to attack PCs, experts say.
Advertisement
The flaws are reminiscent of those touted in the 1994 鈥淛PEG of death鈥 hoax, which 10 years later became a real risk.
Overflow bug
The new flaw is an 鈥渙verflow鈥 bug in the component of the Windows operating system responsible for processing certain image files, called the Windows Graphical Device Interface (GDI).
The overflow bug means that feeding too much information into the parts of computer memory allocated to this program will overwrite other areas of memory. A skilled programmer could use this effect to gain wider access to a machine or steal sensitive information from its hard drive.
But a bigger concern is that an expert hacker will release code that automatically performs the trick. That would enable less accomplished hackers to craft attacks based on the bug.
鈥淎n attacker could send a malicious metafile to a victim via a variety of media 鈥 such as HTML, email, a link to a web page, a Microsoft Office document or a chat message 鈥 in order to execute code on that user鈥檚 system,鈥 reads an advisory issued by US computer security company eEye Digital Security on 8 November.
A similar vulnerability was found to affect older versions of Macromedia鈥檚 popular Flash player software on 7 November. This provides a way for carefully manipulated Flash files to bypass a computer鈥檚 security. Flash files are used to display animations and are often embedded in web pages. A software patch has been released.