Malicious users had set up attack websites to exploit the image vulnerability, from which they could execute arbitrary code, cause a denial of service condition or take complete control of an infected PC, the U.S. Computer Emergency Readiness Team and multiple security firms warned.
US-CERT said that the vulnerability could affect users of Internet Explorer and Mozilla Firefox, and warned users not to view files they did not recognize.
"Although there is limited information concerning this reported vulnerability, US-CERT encourages users not to view .wmf files and system administrators to block .wmf files at the HTTP proxy and the SMTP level," the agency advised.
F-Secure told users that the new zero-day WMF exploit was easy to stumble upon.
"Do note that it's really easy to get burned by this exploit if you're analyzing it under Windows. All you need to do is to access an infected website with IE or view a folder with infected files with the Windows Explorer," F-Secure researcher Mikko Hypponen warned on the firm's website. "You can get burned even while working in a DOS box!"
Secunia called the threat "extremely critical" and warned users only to open or preview image files from trusted sources.
"Do not save, open or preview untrusted image files from email or other sources, or open untrusted folders and network shares in explorer," the firm said in an advisory. "The risks can be mitigated by unregistering shimgvw.dll. However, this will disable certain functionalities. Secunia does not recommend the use of this workaround on production systems until it has been thoroughly tested."
Computer Associates classified the vulnerability as "high," and said it could possibly be exploited by numerous kinds of files.
"Use of the Windows Picture and Fax Viewer is one known vector of attack through the automatic display of certain metafiles. Known file types that will launch Windows Picture and Fax Viewer when opened are .wmf, .emf, .gif, .jpeg, .jpg, .bmp, and .png," CA said. "Note: Additional attack vectors may exist."
Microsoft released a statement Thursday saying the company is investigating the incident and will take appropriate measures as the investigation proceeds. It did not tip its hand on whether it would release a patch outside of its monthly cycle.
"Microsoft is actively monitoring this situation to keep customers informed and will provide additional customer guidance as necessary. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers," the Redmond, Wash., computing giant said. "This will include providing a security update through our monthly release process or providing an our-of-cycle security update, depending on customer needs."
Shane Coursen, senior technology consultant with Kaspersky Lab, said workers returning to offices after New Years Day could create epidemic conditions for the new threat.
'When people start coming back in to work after the New Year, and if by that time somebody figures out how to package this exploit in the form of a self-propagating worm, we could then see a spike in prevelance," he said. "In order for a worst-case New Year scenario to be avoided, it might depend on how many computers are protected via the MS workaround (assuming it is a solid and acceptable temporary solution), and by people's awareness of the threat."