Well, guess what? A new vulnerability in Windows, and this time, it’s a doozy. All you have to do is visit the wrong website and you’re screwed. At least you’re screwed if you have Windows XP or Server 2003. Us 2k stick-in-the muds are laughing. Win 2k is vulnerable too. Sorry, should have deleted that line after finding out.

Steven Den Beste drew everyone’s attention to a new exploit out there that will compromise your system the instant a specially malformed .wmf (Windows Media File) hits your system. The version of player you have is irrelevant, thus far.

Larry Seltzer says, on E-week:

Adware sites appear to be going hog-wild with this attack. According to Sunbelt Software, over a thousand sites are spreading more than 50 variants of it, thanks to an underground adware infection network that acts something like the DoubleClick of adware.

I’m told that there is a debate going on in Microsoft over whether to disable WMF file support in Internet Explorer. The fact that there’s a debate probably means that Microsoft has customers relying on this behavior, and that’s worth considering. To me the answer is clear: Leave it in and disable it by default. Create group and local policies to turn it back on so that larger customers and ISVs can re-enable it easily. This behavior should be extended to any, or at least most, nonstandard formats for IE.

I’m hesitant at this point to go into details until there is a patch, but my own research confirms that the potential for spreading this attack far and wide is immense and that easier vectors than Web pages exist. Microsoft has already posted the workaround, but unless a real patch is imminent, the company needs to make a registry-based workaround and publish it through the Automatic Updates system so that users are quickly protected.

Some people laugh when I tell them I won’t move from one version of Windows to the next until I’m forced to. (I’m still on Win2k, and only changed from ’98 in 2002). Others pooh-pooh and say I’m paranoid when I refuse to install things like Google Desktop or WeatherBug. It’s not my fault they’re suckers for the latest, greatest, and least secure. (Yes, I’m insufferably smug towards them when this happens.) There is a reason I haven’t had any virus infections on my system in three years (only two in the last six, and few spyware infestations). Actually there’s five reasons: Norton Anti-Virus, Lavasoft Ad-Aware, Zone-Alarm, my router, and common sense. I’m not ultimately hacker-proof, but if you get in, you earned it.

Unfortunately this exploit would earn it in a heartbeat if I hit any site with it–I’m not immune . It may be that no Windows system is, not even ’95. (Well, ok, Win 3.1, but that doesn’t count!)

Win XP users need to go to Start > Run and type in: regsvr32 -u %windir%\system32\shimgvw.dll

2k users type in: REGSVR32 /U SHIMGVW.DLL

More information here.