A new security hole has been reported that potentially affects all Windows systems when they try to display images that been specially designed by a malicious attacker. The vulnerability can lead to the attacker taking over your computer entirely. More details are given at the end of this email.
CARDBOX IS NOT AFFECTED BY THIS VULNERABILITY.
The attacking images use the programming features of Microsoft's WMF format. Cardbox has not been designed to read images in WMF format and so cannot activate an infection.
When it imports images in another image format - for example, GIF, JPEG, TIFF,and PDF - Cardbox does so on its own, without the assistance of Windows. Thus it cannot trigger any virus infection that depends on bugs in Windows.
DETAILS
The attacking image can arrive in an email or come from a maliciously designed web page. The filename of the image can end in something innocuous such as GIF or JPG: this is because Windows, when it displays an image, checks the true format of the image rather than its filename. So if the disguised "GIF" or "JPG" image is in fact in WMF format, Windows will treat it as being in WMF format and will infect itself automatically when it tries to display the image.
LINKS
http://msnbc.msn.com/id/10684853/ - a report from the Financial Times.
http://blogs.guardian.co.uk/askjack/2006/01/imortant_windows_wmf_metafile.html - a report from the Guardian, giving more technical details and recommendations for protecting your computer.
http://www.techworld.com/security/news/index.cfm?NewsID=5070 - a report from TechWorld.
