Microsoft has now made an official patch available for the WMF vulnerability for all versions of Windows from Windows 2000 forward. See the notice at Microsoft’s site here, and select the proper patch for your system.
Official Microsoft WMF Patch Now Available
(Click the link, then look for “Security Update for the Windows Meta File Vulnerability Available”. OR just visit Windows Update. A direct download is more certain, though, with high-demand updates.)
OR
…if you want to go directly to the page with all the patches listed by Windows version.
Three ways to update, so you’ve no excuse.
๐
Oh, and if you have previously applied Ilfak Guilfanov’s patch, uninstall it through Control panel before applying Microsoft’s patch.
PSA-pinned to Ferdy’s Bulletin Board at Conservative Cat
Update: All the security/OS wonks I usually listen to kept saying AV only a very few companies had some partial protection against WMF exploits. I just checked Grisoft’s website (remember: I’m concerned about computer security and have never suffered an infection by malware, probably because I practice semi-paranoid computing, BUT I am a tightwad, too. :-). All Grisoft’s products (including the Free Version of AVG) have offered at least this much protection against the WMF exploit since December 29–pretty quick response:
Exploit.WMF
These files exploits WMF vulnerability in Windows Operating Systems that allows malware code execution while WMF format file is opening. Unfortunately security patch for this vulnerability is not available at this time. AVG detects these files as Exploit.WMF and also as Trojan horse Downloader.Agent.
Not exceptionably bad. In fact, not half bad. Even unpatched systems can have such files noted for deletion or removal to a “vault” on normal daily scans (your AV software is set for daily scans as well as scans of all downloads, automatically, right? Right? ๐
But. What about a visit to a web page with an exploit-embedded graphic? Better patch those systems, folks, even if your AV does offer some protection.