Mikko Hypponen, director of anti-virus research for F-Secure, said on the firm's website that it has discovered a phishing scam, run from a home PC somewhere in Illinois, designed to exploit the vulnerability.
"This scam works by sending out emails, urging customers of the global HSBC bank to visit a site called www[dot]jhsbc[dot]com. This domain, naturally, has nothing to do with the real bank but it sounds close enough," Hypponen said. "The WMF connection comes from the fact that if you visit this site (and please don't), the front-page contains an IFRAME that will try to push an exploit filed called tr.wmf to your system. When that is executed, it will download a file called update.exe from the same server. This unexpected gift turns out to be a variant of the Trojan-spy.Win32.Goldun family, which will start to collect information from the system."
Mike Nash, corporate vice president for security, said this month that the Redmond, Wash., computing giant wanted to make sure that the update would meet quality goals.
Microsoft released the update five days earlier than its planned Jan. 10 "patch Tuesday" release. The company first advised users last month to maintain antivirus services and apply the work-around it recommended.
Prior to the release, malicious users set up attack websites to exploit the image vulnerability, from which they can execute arbitrary code, cause a denial of service condition or take complete control of an infected PC, the U.S. Computer Emergency Readiness Team and multiple security firms warned late last month.
Stephen Toulouse, security group project manager for Microsoft, said last week on the company's TechNet website that the vulnerability was leftover from a time when PC security was less complicated.
"This was from a different time in the security landscape and these metafile records were all completely trusted by the OS," he said. "To recap, when it was introduced, the SetAbortProc functionality served an important function."