WMF hole still reverbrates with users

What a way to start the year! The now-well-known WMF vulnerability, which allows an infected image to silently take over your PC, was first publicized just before New Year’s Eve. It resulted in a frantic week for Microsoft and millions of Windows users who wanted to protect themselves.

I considered the risk of infection from hacked Windows metafiles (.wmf files) to be so dire that I published an unprecedented two news updates in the same week. (In the past 12 months, I’d felt the need to release only 5 news updates.)

My first news update, on Jan. 4, urged readers to protect themselves against infected images that were already in the wild. I recommended installing an unofficial patch by Belgian programmer Ilfak Guilfanov that was endorsed by F-Secure, the SANS Institute’s Internet Storm Center, and other security sites. At that time, Microsoft was saying it wouldn’t release a patch of its own until Jan. 10 or later.

Microsoft, fortunately, reversed itself and posted its official patch, MS06-001, on Jan. 5. With only about 10 days elapsing between the first signs of bad press and a released patch, this is said to be a record for the Redmond software giant.

In response to the unexpectedly rapid fix, I published my second news update on Jan. 6. In that alert, I recommended that Windows users should install the official patch. This would make it safe to then uninstall the unofficial patch, which can and should be removed after the protection provided by MS06-001 is in place. (A leaked version of MS06-001, which appeared on some Web sites prior to Jan. 5, must be uninstalled prior to attempting to install MS06-001, as I discuss below.)

Since all the excitement of that week, several readers have written to say they weren’t sure exactly how to uninstall Guilfanov’s patch. For this reason, I’m publishing step-by-step WMF protection instructions, below, with as much detail as possible.

Replacing unofficial patches with MS06-001

I’m grateful to the Internet Storm Center, which published some of the same instructions in its Jan. 6 blog that I show here. Take the following steps to remove unofficial patches and install Microsoft’s official patch to protect against the WMF hole:

Step 1. Reboot your system to clear any infected image files from memory.

This article is part of our premium content. Join Now.

Already a paid subscriber? Click here to login.

= Paid content

All Windows Secrets articles posted on 2006-01-12: