WMF Exploit: Your Sieve is Now Patched

• By Matt Stephens
• January 6, 2006

The world is shouting at you to download Microsoft’s new WMF exploit patch right now, and with good reason. Hundreds of WMF exploits are already circulating the Internet, taking advantage of this fundamental security hole in GDI32.dll.

Whichever version of Windows you’re using, and regardless of whether you’re using Firefox, Opera, Excel, Word, Outlook, IE or whatever, your system is vulnerable without this patch.

There, that’s the hysteria out of the way. The patch (security update MS06-001) is available here. If you haven’t installed it yet, best go do that right now! (Okay, now that’s the hysteria out of the way).

Microsoft had announced that they were going to release this patch as part of their monthly “uber-patch” security update. However, following howls of indignation – and security experts recommending that people actually install an unofficial third-party fix in the meantime – Microsoft wisely released the patch four days early.

It gives one quite a warm fuzzy feeling to know that your PC is now “secure” again. But it kind of reminds me of Edward Lear’s The Jumblies (the picture’s from the UK edition):

“They went to sea in a sieve they did, In a sieve they went to sea. In spite of all their friends could say, On a winter’s morn, on a stormy day, In a sieve they went to sea.”

The momentary feeling of safeness you might get from the WMF patch is warranted, because at least you know that the hundreds of WMF exploits already in the wild are now prevented from wreaking havoc on your PC (you hope). But it’s not dissimilar to the Jumblies being elated because they’ve patched one tiny hole in their giant sieve. It’s probably a small consolation, but we’re all in the same boat together. We are all Jumblies now.