"Yesterday only a few of the sites we monitor used this exploit," wrote Eric Sites, vice president of research at Sunbelt, "but now that number is exploding." (Another security vendor, San Diego-based Websense, said Thursday that "thousands of sites" were distributing exploit code from iFramecash [dot] biz.)
Users can also ditch Internet Explorer for Firefox or Opera. The vulnerability isn't within IE itself, but that browser does open WMF files automatically without asking permission from the user. Firefox and Opera at least put up a dialog box asking the user if he or she wants to open the file with Windows Picture and Fax Viewer. Using Firefox or Opera, however, doesn't guarantee that a PC is immune, since a malicious WMF file could still be introduced via e-mail.
Finally, said Microsoft, users should keep their anti-virus defenses up to date, since most are or soon will provide signatures for the exploits taking advantage of the vulnerability. As of mid-day Thursday, for example, all the major anti-virus vendors had released some signatures.
But that, too, may not completely defend against the threat. By late Wednesday, Sunbelt Software had detected more than 50 exploit variants.