WMF vulnerability patch and more good news

An unofficial patch has been written by programmer Ilfak Guilfanov.  It works in my tests.  Get it here. Uninstall it before installing the Microsoft patch due on January 10.  There's is also a vulnerability checker here. Guilfanov's blog must be getting heavy traffic -- the pages are not opening for me now. You can also download the patch at SANS.  SANS also has a WMF FAQ.

Initially it was thought that all versions of Windows are vulnerable.  Now several sources are saying that older versions are not vulnerable after all.  See Larry Seltzer's blog here.

I have been testing a lot tonight and it appears to me that iDEFENSE is right: In a practical sense, only Windows XP and Windows Server 2003 (in all their service pack levels) are vulnerable to the WMF flaw.

Microsoft announced today the official patch is slated to be released on January 10.

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

In the meantime, I highly recommend installing the patch from Guilfanov.