Brian Krebs at the Washington Post has a useful review of where things currently stand with the Windows WMF vulnerability (mentioned here last week) and the unofficial patch that is available. In a nutshell, the antique WMF file format (dating back to Windows 3.0) has left Windows wide open and while knowledgeable folks are waiting with trepidation to see which of the lowlifes walks in first, some have taken matters into their own hand to formulate a defense. Krebs:
I have to say I’m surprised that Microsoft has not yet issued an official fix for this. My guess is that if they wait until a week from Tuesday to ship an update, it will cost them dearly in terms of current and potential future customers.
And speaking of public relations, Microsoft’s Robert Scoble links to a Channel 9 post where the discussion makes it clear that there won’t be any unofficial advice from Microsoft employees. Generally, there’s nothing worse than “informal” security advice and I realize the difficulties in creating the “official” patch, but from a public relations standpoint it really doesn’t look good that it seems to be a band of volunteers that is manning the barricades and doing an excellent job of it.
One other thought – despite some commentary I have seen that this vulnerability spells the end of Windows 98 systems connected to the Internet, Windows 98 will still receive official Microsoft security patches until June 30, 2006 and should be covered by the official fix when it arrives.