[ update: Microsoft has finally released it's Security update for WMF vulnerability. To apply the patch, simply visit the Windows Update web site, automatically scan for updates and install. ] Thanks Fuzzie for bringing this to my attention.

The purpose of this article is to clearly lay out all the information i could find on the recent Windows exploit, namely the WMF (Windows Metafile) vulnerability. Instead of adding to the current state of panic, my hope is that this post will help to clear up some of the apparent contradictions surrounding this issue and provide a kind of reference in the decision making process (ie: overall severity and what actions to take).

I’ll begin with a brief overview of the current state of affairs:

A Windows Metafile (WMF) – is a 16-bit metafile that can be used by all versions of Windows to display a picture. Similar to a .jpeg, .gif or bitmap.

A Metafile – is simply a list of commands that can be executed to draw a graphic. Normally, these commands are used to style objects such as lines, polygon and text. In this case, the WMF is being used to trigger potentially malicious code (ex: trojans).

For more background on Windows Metafile you can read the Wikipedia definition here.

i was also planning on quickly going over the events that have unfolded in reaction to the news about the widespread potential of this type of exploit. However, it turns out that the Wikipedia, once again, has done this job for me (and probably better than i could have done). If you’re late on the scene for this whole thing, i recommend you spend a few minutes reviewing that page as well.

Still, here’s a short list of the key points related to the most recent Windows Metafile Vulnerability:

• First reports of affected computers: December 28, 2005. [more info here and here]
• List of Vulnerable Systems: All versions of Windows. [ see full list here ]
• How it spreads: via email attachments [ although Microsoft is now saying otherwise ] or even just loading a website with WMF graphics. Read more here.

There seems to be some uncertainty surrounding the list of vulnerable systems. Some sources believe that older systems like Win95/98 and even WinME/2K can not easily be exploited in this manner. Read here, here and here for more info.

Protection against this exploit -

• The Workaround according to Microsoft: unregistering the dll [ type: "regsvr32.exe /u shimgvw.dll" in the command prompt ]
• The Unofficial Patch: by Ilfak Guilfanov version1.4 can be found here.
• The Unofficial Patch: based on the fix by Ilfak Guilfanov can be found here. [ .msi installer version 1.4 ]
• The Unofficial Patch: developed by ESET version1.1 can be found here. [ updated: Jan. 05, 2006. ( source: eWEEK.com ) ]

The best description of what these fixes actually do to your system can be found here [.pdf format]

Additional Notes -

• This is not an actual virus outbreak [it is an exploit, meaning just leaving your pc online but unpatched does not guarantee that you will be attacked].
• Some people have reported minor “issues” related to installing this patch such as printing problems.
• There is already a Microsoft patch available that is a pre-release which leaked onto the internet this morning and is said to be tested on Winxp/2k3 systems, but every link i’ve found was broken and had the file taken offline. For those interested, the file was named WindowsXP-KB912919-x86-ENU.exe and i’m sure it will surface again sooner or later.
• McAfee has added WMF exploit detection to its latest DAT file, which can detect exploits created by this tool.
• ESET claims its NOD32 anti-virus stops hackers from using all 206/206 tested WMF vulnerability exploits. They offer a 30-day trial version of their software which would protect you from this exploit “without having to take any special actions”, according to ESET (presumably until Microsoft releases an official fix). [ updated: Jan. 05, 2006. ]

That’s all i could find at this time. Hope it helps in some way.