The Windows Metafile Format (WMF) flaw is not quite a zero-day
exploit anymore, but it's not quite patched yet, either.
Microsoft has completed the development of a security update to
fix the WMF flaw, which appeared last week. However, the update is
being tested for quality control and isn't going to be released
until Tuesday, Jan. 10.
An attacker could take advantage of the flaw to execute arbitrary
code on a vulnerable Windows XP and Windows 2003 system.
The exploit targets how IE handles pictures that are transmitted
by malicious sites hosting the .wmf file. The flaw saw numerous
variants and was reportedly being exploited in the wild. The WMF
exploit also had been added to the popular Metasploit Framework,
which could potentially also allow for easy execution.
The updated Microsoft advisory acknowledges that, though the
vulnerability is "serious" and attacks are being attempted, "the
scope of the attacks are not widespread."
Part of the reason for the mitigation of the flaw's impact is the
fact that the major antivirus companies have updated their virus
signatures to prevent execution of the associated virus.
Microsoft's own Windows OneCare Live Beta also provides
protection against the vulnerability.
In its updated advisory, Microsoft also addresses the reason it
is taking Microsoft so long to issue a security update.
"Creating security updates that effectively fix vulnerabilities
is an extensive process," the advisory states.
The advisory explains that Microsoft security personnel spend
time to investigate the severity of the vulnerability, as well as
its impact on applications. Updates are developed for every
supported version of the supported product, localized for 23
languages and then issued simultaneously worldwide.