for whatever reason (i wonder… .. … ….. ..) microsoft decided to release the “official” wmf patch today, ahead of schedule:
http://www.microsoft.com/technet/security/bulletin/advance.mspx

we will see how it differs from ilfak’s.

but as a friend said.. there are still 2 critical vulnerabilities to be released next black tuesday.

[updates] from matthew murphy:

according to my msrc source, the patch has hit wu now. the bulletin is
up as we speak:

http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx

my tests indicate the updates are up as well:

windows 2000 sp4

http://www.microsoft.com/downloads/details.aspx?familyid=aa9e27bd-cb9a-4ef1-92a3-00ffe7b2ac74

windows xp sp1/sp2

http://www.microsoft.com/downloads/details.aspx?familyid=0c1b4c96-57ae-499e-b89b-215b7bb4d8e9

windows xp x64 edition

http://www.microsoft.com/downloads/details.aspx?familyid=3a1166e6-5e9e-4e73-bcd4-28eca6ece877

windows server 2003

http://www.microsoft.com/downloads/details.aspx?familyid=1584aae0-51ce-47d6-9a03-db5b9077f1f2

windows server 2003 for itanium

http://www.microsoft.com/downloads/details.aspx?familyid=6e372d41-2c16-415e-8306-a5ca8845cc09

windows server 2003 x64 edition

http://www.microsoft.com/downloads/details.aspx?familyid=a8f4dcba-5d28-4d9d-a6a4-3b71108cfe2d

there is *no patch* for windows 98, windows 98 se, or windows me at this
time.

a quick study of the bulletin reveals this from the faq:

“specifically, the change introduced to address this vulnerability
removes the support for the setabortproc record type from the
meta_escape record in a wmf image. this update does not remove support
for abortproc functions registered by application setabortproc() api calls.”

so, iow, it’s the same functionality as in ilfak’s patch, minus the hook.

–
gadi evron,
ge@beyondsecurity.com.