ElectricNews.net:News:Windows flaw could cause 'serious damage'

ElectricNews.net:News:Windows flaw could cause 'serious damage': "Virus writers have discovered a new flaw in the operating system that could leave its users open to spyware and viruses.
Computers can be infected through programmes inserted into image files, without requiring the user to download any files. Simply viewing a web page or e-mail that contains an infected image is enough to release the virus into the machine. The exploit can be used to install malicious programming on the PC.
The 'WMF exploit', which has been published online by a group of virus writers, is based on what security firm F-Secure describes as bad design, rather than a bug. 'When Windows Metafiles were designed in late 1980s, a feature was included that allowed the image files to contain actual code,' said a posting on the company's website. 'This code would be executed via a callback in special situations. This was not a bug; this was something which was needed at the time.'
This means that the bug could affect all versions of Windows -- even going back to Windows 3.0, which was shipped in 1990. As a result, F-Secure says the WMF flaw could affect more machines than any other security vulnerability has before. However, in practice, Windows XP and Windows Server 2003 are the only platforms that can be easily affected by the exploit. Windows 2000 users who have a third-party application opening their image files are also at risk. "