Security Update for the Windows Meta File Vulnerability Available

Apparently, or accidentally as zdnet reported, Microsoft has released a patch to fix the WMF vulnerability in Windows, here is the bulletin Microsoft Security Bulletin MS06-001 Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919). The date on this page is from yesterday, so, even if it got released by accident, it looks like they were going to release it early anyway.

This vulnerability is currently being exploited and was previously discussed by Microsoft in Microsoft Security Advisory 912840.

If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

We recommend that customers apply the update immediately.

We do too. Good move releasing this earlier than you first stated Microsoft, but still probably too late for some users.

From the Common Vulnerabilities and Exposures website, “The Windows Graphical Device Interface library (GDI32.DLL) in Microsoft Windows allows remote attackers to execute arbitrary code via a Windows Metafile (WMF) format image with a crafted SETABORTPROC GDI Escape function call, related to the Windows Picture and Fax Viewer (SHIMGVW.DLL), a different vulnerability than CVE-2005-2123 and CVE-2005-2124, and as originally discovered in the wild on”

Note: This release says it is not critical for windows 98 or Windows ME users, noting that although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. They will be releasing a patch for these operating systems later.

On the website, they quoted Microsoft saying;

The software maker said Thursday it will deliver two updates on Tuesday, Jan. 10, as part of its scheduled monthly bulletin of security patches.

In response to customer pressure, the software maker on Thursday delivered a fix for a Windows flaw that lies in the way Windows renders Windows Meta File images. The flaw that has become a conduit for several attacks.

Next week, Microsoft plans to provide two additional security updates: one for Windows, and one for Microsoft Office and e-mail server software Exchange, the company said in a notice on its Web site.

Both updates will fix at least one flaw that the software maker deems critical, according to the notice. Microsoft rates as critical any security threat that could allow a malicious Internet worm to spread without any action required on the part of the user.