Windows flaw could have enterprise-wide ramifications

An attack on Windows-based systems may cause more concern for IT directors than was first realised.

An attack on Windows-based systems may cause more concern for IT directors than was first realised.

The HappyNY.A attack was first discovered on 26 December and with it, computers based on Windows XP/ Server 2003 can be penetrated through vulnerability in the way the systems handle some Windows Metafile Format (WMF) graphic files.

The attack comes in the form of an email with the subject line "Happy new year" and contains an attached file called HappyNewYear.jpg, which can install a Trojan on computers when executed; in some cases by simply viewing the infected image and not necessarily by clicking on anything or opening any files.

Microsoft is assuring its customers that whilst it regards the issue as serious and that danger from attacks is real, it ultimately believes that the scope of the attacks is limited. It says that the attacks exploiting the WMF vulnerability are being effectively mitigated by anti-virus companies with up-to-date signatures.

However, security experts say that programs reported to be at risk include MSN Messenger, Windows Picture and Fax Viewer, Lotus Notes and, reportedly, Google Desktop's indexer.

Moreover, compound documents, such as Word files, may contain embedded images, so it may be necessary to extend inspection to all attachments.

Security experts recommend that you block WMFs in email attachments and web downloads for immediate, partial protection until a patch can be deployed.

Microsoft has announced that a patch will be ready by 10 January, nearly two weeks after the flaw was discovered. However, third-party patches that disable the use of custom abort code are available now.

That said, there is mixed advice from secuity experts as to how you should proceed.

Gartner warns against the use of unsupported patches, especially by large enterprises, because the patch would require extensive testing and eventual deinstallation and could introduce additional risk and ultimately cost to the business. However, a number of specialist security firms and even august IT security bodies such as the SANS Institute recommend that you take immediate action.

Read more on IT risk management