US-CERT is aware of active exploitation of a vulnerability in how Microsoft Windows handles Windows Metafiles (".wmf"). Several variations of the WMF exploit file have been released that attempt to avoid detection by anti-virus software and intrusion detection and intrusion prevention systems.

A Windows system may be compromised through several methods including:

• Opening a specially crafted WMF file which may be masquerading as a MS Word or MS Office document.
• Opening a specially crafted WMF file which may be masquerading as a JPEG or other type of image file.
• Visiting a specially crafted web site.
• Placing a malicious WMF file in a location that is indexed by Google Desktop Search or other content indexing software.
• Viewing a folder that contains a malicious WMF file with Windows Explorer.

Once the vulnerability is exploited, a remote attacker may be able to perform any of the following malicious activities:

• Execute arbitrary code
• Cause a denial-of-service condition
• Take complete control of a vulnerable system

More information about this vulnerability can be found in the following:

• US-CERT Vulnerability Note: VU#181038 - Microsoft Windows Metafile handler SETABORTPROC GDI Escape vulnerability
• Technical Cyber Security Alert: TA06-005A- Update for Microsoft Windows Metafile Vulnerability
• Cyber Security Alert: SA06-005A - Microsoft Windows Metafile Vulnerability
• Microsoft Security Bulletin: MS06-001

Microsoft has released an update to address this vulnerability in Microsoft Security Bulletin MS06-001.

We strongly encourages users to apply the appropriate updates as soon as possible. This can be done by running Windows Updates and downloading all Critical Updates.