There’s a nasty Windows vulnerability about. First reported on December 27. Details:
Microsoft Windows contains a vulnerability that can allow an attacker to execute arbitrary code. The vulnerability is due to improper handling of Windows metafiles by the Graphics Rendering Engine. Attackers can exploit the vulnerability by creating a metafile and enticing a victim into opening the file. Use of the Windows Picture and Fax Viewer is one known vector of attack through the automatic display of certain metafiles. Known file types that will launch Windows Picture and Fax Viewer when opened are .wmf, .emf, .gif, .jpeg, .jpg, .bmp, and .png. Note: Additional attack vectors may exist.
At the time of writing (January 5) Microsoft hasn’t issued a patch. They’re going to wait until Tuesday January 10 because that’s the next scheduled date for the release of Microsoft upgrades and fixes. Now that’s what I call customer service.
Update (January 6): According to The Register, Microsoft has now issued a patch.