Interim WMF Exploit Savior
We've all been following the dramatic story of the whole wmf exploit and how it is easily spoofed into other image types. The last day of 2005 the wmf exploit exploded into other various venues such as instant messages, email, and more. Various tools have been setup to try and catch or filter out the wmf exploit, but last night it has mutated. Newest variations change the header and tail of the wmf exploit making its signature difficult to locate.
Drum roll please...
Ilfak Guilfanov who is being billed as one of the foremost experts in Windows low level technology has released a temporary/interim patch for Windows.
(check often for updates, this is version 1.4)Technical details: "this is a DLL which gets injected to all processes loading user32.dll.
It patches the Escape() function in gdi32.dll. The result of the patch is that the SETABORT escape sequence is not accepted anymore."
Once Microsoft releases an official patch, or if the above doesn't work, you can uninstall it from your Add/Remove Programs menu. It'll be listed as
"Windows WMF Metafile Vulnerability HotFix".
The
Internet Storm Center gives this patch its stamp of approval:
We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.
The word from Redmond isn't encouraging. We've heard nothing to indicate that we're going to see anything from Microsoft before January 9th.
The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
So there you have it, don't trust the firewall filters, don't trust the antivirus vendors, don't wait for Microsoft. Install the patch immediately. If you are running a Windows operating system the patch doesn't support, time to shut it off and wait.
Ref:
grc.com,
sunbeltblog,
hexblogNote: WMF Hotfix is at version 1.4 now which supports batch installation.
