Latest post from Microsoft on the WMF exploit that’s capturing everyone’s attention:
New Security Advisory for Possible Windows Vulnerability
Hi everyone, Stephen Toulouse here. Just wanted to make everyone is aware that this evening the MSRC posted a security advisory regarding a possible vulnerability affecting the Graphics Rendering Engine in Windows. The MSRC has made some additional information and guidance available to customers which you can read more about here.
Possible vulnerability? Umm… ok.
We go to the Security Advisory itself and see this:
Microsoft is investigating new public reports of a possible vulnerability in Windows. Microsoft will continue to investigate the public reports to help provide additional guidance for customers.
But then later, we get the difference between the PR spin and the real data — because this was obviously written by a real person:
What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting the Graphics Rendering Engine in Microsoft Windows. This vulnerability affects the software that is listed in the “Overview” section.
Is this a security vulnerability that requires Microsoft to issue a security update?
We are currently investigating the issue to determine the appropriate course of action for customers. We will include the fix for this issue in an upcoming security bulletin.
They also mention what we’ve been saying — that one attack vector is through email…
I am reading e-mail in plain text, does this help mitigate the vulnerability?
Yes. Reading e-mail in plain text does mitigate this vulnerability where the e-mail vector is concerned although clicking on a link would still put users at risk.
It’s worth reading the advisory, here.