WMF flaw provokes headaches, workarounds

Companies are racing to patch a WMF vulnerability in all versions of Microsoft Windows XP and Windows Server 2003. Information about the vulnerability became public in late December, and Microsoft released an out-of-cycle patch last week (see the security bulletin).

Though Microsoft released the patch early, it will still take time for IT organizations to test and roll it out. In the meantime, one workaround is to de-register the Windows Picture and Fax Viewer DLL (Shimgvw.dll) that enables WMF viewing, though that will also disable thumbnails in Internet Explorer. Microsoft itself had recommended taking that approach until its patch was available. In an interesting twist, Microsoft accidentally released a version of its patch early, but asked security managers to disregard it.

More daring security managers already had another option: a third-party patch released to fix the problem, which the SANS Institute recommended applying until Microsoft's became available. As the SANS Institute's Stephen Northcutt noted, "The path of wisdom is to download the unofficial patch, and test it on some non-production systems, and also to make sure you are ready to go when the worm breaks loose."

Still, some caution against applying a non-official patch: As Gartner analyst John Pescatore notes in a SANS Institute newsletter, "Even with a trusted source of an unofficial patch, the odds of causing self-inflicted damage by doing so are very high for enterprise users. The workarounds, like unregistering the DLL and losing thumbnails, are likely to have fewer unintended consequences than an unsupported, unofficial patch."