You may or may not have heard about the WMF vulnerability that was discovered a few days ago in Windows. Odds are, you haven't. The media isn't really talking about it yet, which is unfortunate, because this is a pretty big one. All versions of Windows are affected, there are already dozens of different exploits in the wild, and Microsoft has not released a patch, nor is it likely they will for another week or more. I hate posting something here that feels a lot like those 'virus warning' forwards you hate getting from your more wide-eyed friends, but this is important and nobody seems to have heard about it. There's a FAQ available here.

Essentially, if you're running Windows, you can be infected by viewing an email or webpage that has a malicious image file on it, even if the file doesn't have a .wmf extension (Windows helpfully detects that it's a WMF by a special sequence of bytes in the file and opens it anyway). If you're running a program that indexes your hard disk, like Google Desktop, and it comes across the file on your disk, it too will open it and infect you. Because of the complex structure of WMF files, there is an extreme amount of variability in the potential avenues of exploit, so this attack can't be effectively blocked with firewall rules or antivirus software.

Microsoft has posted a security advisory about the vulnerability, but it doesn't offer a solution. It's sounding like they won't be releasing a patch until January 9 at the earliest, but this is going to go crazy today when all the business PCs go back online.

Fortunately, the network security community has stepped up to make up for Microsoft's slackness, and an individual has written a third-party patch to block the vulnerability in Windows 2000 and XP until Microsoft releases an official patch. The code for the third-party patch is available and has been scrutinized very carefully by security experts like Steve Gibson and the handlers at the Internet Storm Center at SANS, who have confirmed that it does exactly what it says, and does it well.

Here's what you need to do. Download and install this patch:

http://handlers.san...wmffix_hexblog13.exe

The MD5 hash for the file should be 14d8c937d97572deb9cb07297a87e62a, but if you're suspicious enough to validate the MD5 hash, you'll want to go get it from SANS instead of taking my word for it.

Once you've installed the patch, you should be safe, but it's strongly suggested you also unregister the vulnerable DLL like this:

• Click Start, click Run, type "regsvr32 -u %windir%\system32\shimgvw.dll" (without the quotation marks), and then click OK.
• A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

Now you're safe, though once Microsoft releases their official patch, you should uninstall this one and install the real one (the third-party patch will add an entry to Add/Remove Programs to let you easily uninstall it).

Note that the third-party patch only works on Windows 2000 and Windows XP. I'll quote the ISC:

Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade.

OK, enough scaremongering on my part. This isn't really what I use BinRock for, but this has been released at a really bad time, and most experts are predicting it's going to be a bad one, and I figure I can at least help my friends avoid being among the fallen.