Microsoft releases emergency patch for WMF exploit

Thursday, January 5, 2006 

Breaking with the scheduled Patch Tuesday cycle of bugfix releases, Microsoft has released an emergency patch to correct the Windows Metafile vulnerability that allows a remote compromise of a computer.

Microsoft has made available patches for all currently supported versions of their Windows operating system. However, the Windows 98, Windows 98 Second Edition, and Windows Millennium Edition versions have not – at this time – had patches issued for this vulnerability. According to Microsoft, these versions contain the vulnerable software component but, "the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions."

Current versions of Windows, including Windows XP and Windows Server 2003, depending on configuration, may prompt users to download or install this update automatically for those computers currently connected to the Internet. This is the preferred method of protecting your computer from this vulnerability.

Other users are advised to visit Microsoft Windows Update to obtain this security patch, if they are unable to obtain the patch or are unsure whether they have it.

Previous methods of protection included unregistering shimgvw.dll to disable handling of Windows MetaFiles, as per Microsoft's security advisory. Since it does not correct the underlying problem, it is unlikely that this method is recommended any longer.

Other methods included Ilfak Guilfanov's unofficial patch, which was not advised by Microsoft, but served as a measure to mitigate the immediate effects until an official patch was released. Guilfanov has now noted that the patch is no longer needed.