Contrary to it’s earlier statement, Microsoft decided to release a fix today for the flaw in the handling of WMF files that had exposed the security of all recent versions of Windows. According to the Microsoft press release:
On Tuesday, Jan. 3, 2006, Microsoft Corp. announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows® Meta File (WMF) area of code in the Windows operating system, in response to malicious and criminal attacks on computer users that were discovered last week.
Microsoft will release the update today, Thursday, Jan. 5, 2006, earlier than planned.
Microsoft originally planned to release the update on Tuesday, Jan. 10, 2006, as part of its regular monthly release of security bulletins, after testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.
The associated Microsoft Security Advisory 912840 has been updated and somewhat puzzlingly now has this disclaimer:
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) were previously listed as affected, but are no longer listed. Why is that?
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates.
For Windows 2000, XP, and Server 2003 however, the patch is available from the usual locations including Windows and Microsoft Update.