Microsoft Delays Fixing WMF Flaw
Microsoft Delays Fixing WMF Flaw
January 5, 2006: The critical Windows WMF vulnerability discovered on December 27th 2005 has ignited a blaze of exploits. A third-party patch to plug the flaw was released on the 31st of December. As of today, we have five more days to wait for Microsoft to get its act together.
Microsoft has stated that its patch will be released on January 10 – as part of its next monthly update cycle. This comes a full two weeks after the flaw became public knowledge, and much too late to stop the flood of malicious exploits that have already appeared.
Exploits using spam to lure people to malicious web sites for example are appearing daily and could infect a reported 99% of Windows PCs due to the critical nature of the flaw.
A Russian developer, Ilfak Guilfanov, has done what Microsoft has so far failed to do and released a patch to correct the flaw. Guilfanov, senior developer at Datarescue in Liege, Belgium authored the fix which blocks WMF exploits by setting gdi32.dlls Escape() function to ignore any call using the SETABORTPROC parameter.
A third party fix for such a serious flaw immediately raises a number of security and stability concerns. However, Guilfanov is confident that his patch is effective. To prove it he has released the source code so it can be scrutinised by anyone before installation. The security organisations F-Secure and the SANS Institute's Internet Storm Center (ISC) have both recommended the unofficial patch be installed.
Patch Location
IDM is not responsible for the content of external internet sites.The patch can be found on Guilfanov’s Blog. Because it is an unofficial patch, Guilfanov himself recommends installing with caution. Especially when deploying to larger networks of computers.
Have you been effected by this WMF flaw?
Related Article: