Velouria
Long time lurker
Note: if you run Windows, this WAS important but panic well over by now as Microsoft have released an official patch so if you've been updating regularly you'll be OK by now.Systems running Windows 2000, Windows XP, Windows Server 2003, and quite probably older versions too are vulnerable.Posting this here as I don't see another thread about it other than a vaguely worded one which mentions it
I see some sysadmins will be having fun tomorrow (I should be on holiday but well, with this going on, might get called in ...
). Apparently, a longstanding vulnerability in the way that Windows handles Windows Metafiles (WMF files) has been exploited in a way which is hard for antivirus programmes to pick up on. Even just blocking files at your firewall, etc., is not enough to mitigate the vulnerability - due to the way WMF files are handled, it will still execute even if the file is renamed to .JPG or whatever. The vulnerability lies in the way that WMF files are structured. A user may specify an EXITPROC or exit procedure inside the WMF which is called when the WMF fails to draw properly. Unfortunately, there are no limits as to what you can call ... leaving a huge gaping security hole. And there is no Microsoft patch at present, however there is a third party written patch (and Microsoft's workaround which, umm ... doesn't really work 
)
You can read more about it here at the Internet Storm Center (where they also have the patch). Keep going through using the Next link ... you'll find the patch. A worm which exploits it is already in the wild.
The ISC are advising people to use the unofficial patch in the interim until Microsoft release an official one. The unofficial patch doesn't alter any Windows system files, but instead patches Windows 'on the fly' to disable the vulnerability. It's your choice really - install the unofficial patch, follow Microsoft's advice which may not do you much good as the steps you take may be reversed when you install/use programs which 'fix' the fact you unregistered the DLL ...
It's up to you I guess - trust the security experts or trust Microsoft? You choose.
Users running non-Microsoft operating systems: please go to another thread to slag off Microsoft and their lamentable security woes
Sysadmins: I wanna know what you've done/are doing/will be doing (Some of you may well be working now, called in because of this or on shift ...)
I see some sysadmins will be having fun tomorrow (I should be on holiday but well, with this going on, might get called in ...
). Apparently, a longstanding vulnerability in the way that Windows handles Windows Metafiles (WMF files) has been exploited in a way which is hard for antivirus programmes to pick up on. Even just blocking files at your firewall, etc., is not enough to mitigate the vulnerability - due to the way WMF files are handled, it will still execute even if the file is renamed to .JPG or whatever. The vulnerability lies in the way that WMF files are structured. A user may specify an EXITPROC or exit procedure inside the WMF which is called when the WMF fails to draw properly. Unfortunately, there are no limits as to what you can call ... leaving a huge gaping security hole. And there is no Microsoft patch at present, however there is a third party written patch (and Microsoft's workaround which, umm ... doesn't really work )You can read more about it here at the Internet Storm Center (where they also have the patch). Keep going through using the Next link ... you'll find the patch. A worm which exploits it is already in the wild.
The ISC are advising people to use the unofficial patch in the interim until Microsoft release an official one. The unofficial patch doesn't alter any Windows system files, but instead patches Windows 'on the fly' to disable the vulnerability. It's your choice really - install the unofficial patch, follow Microsoft's advice which may not do you much good as the steps you take may be reversed when you install/use programs which 'fix' the fact you unregistered the DLL ...
It's up to you I guess - trust the security experts or trust Microsoft? You choose.
Users running non-Microsoft operating systems: please go to another thread to slag off Microsoft and their lamentable security woes
Sysadmins: I wanna know what you've done/are doing/will be doing (Some of you may well be working now, called in because of this or on shift ...)
