That is a reasonable scenario; one worth being aware of. Regardless, I still believe it is pretty unlikely, or at least a lot less likely than my aforementioned Blaster/Slammer examples. (In my mind, that is the real problem – we had some pretty serious worms in the past and people are now trying to re-orient consumers to be more afraid of less significant problems.)

If you have to build a multi-step scenario for it to work, then it just doesn’t ring “extremely critical” to me… you are welcome to describe these circumstances (as has occurred) and suggest that under these constraints, it is “extremely critical,” just don’t suggest it to the world when the majority (by far) is highly unlikely to be affected.

As far as a solution is concerned, simply removing .wmf associations should solve the problem (maybe not for the Google problem). If that doesn’t work, there are registry settings and DLLs that you can change. I suspect antivirus software can be effective here as well.

And remember, don’t surf to the four websites that are affected and don’t set Google desktop to automatic.

So, while you’re away from your PC, somebody sends you an email with a bad WMF as an attachment. Google Desktop will index it immediatly and you get infected totally automatically. Sounds like no user interaction to me.

I think the likelihood of some “trusted” site becoming infected is fairly low. Staying infected is close to zero (someone would scream fairly quickly). Sure, it could happen, but this isn’t really the type of thing you can hide all that easily.

It is worth noting that this malware doesn’t have to propagate via the Web, but I can’t come up with a legitimate way to infect someone that doesn’t involve one or more clicks.

I think basic protection is fairly straightforward – I just went in and disabled my .wmf file association so that it would require (at least) two clicks to view a file. It may have a significant impact for those folks who use .wmf files quite frequently, I suppose.

I guess my real problem is that an “extremely critical” rating leaves no room for differentiation of threats that I consider much more significant – in particular, worms like Blaster and Slammer.

Note as well that my final recommendation is much more important than simply “not clicking,” it involves a new (for some) way of thinking about the problem – host intrusion prevention.

The step from step from deliberate sites infecting this to “trusted” sites potentially doing it seems smaller than a potential mutation of the bird flu.

If the only defense is “don’t go there,” your trusting the other guy to not hurt you. There’s virtually nothing the end user can do save disabling certain features. When faith on the webservers virtue is your advice on how to avoid this “funny they call it extreme” vulnerability, well that seems to be a pretty big problem.