There has been a slew of patches for the WMF Vulnerability. In addition to the unofficial patch by Ilfak Guilfanov, a as-yet-unfinished Microsoft patch was released online inadvertently.
The vulnerability is very critical in the sense that the user does not need to do anything, except view the image. This can be viewed either in a email or via a browser. Microsoft refused to depart from its monthly patch-release schedule to release an express patch. This gives a cosy 10-day window for the vulnerability to wreck its way worldwide.
Meanwhile Ilfak rose to the occasion and posted an unofficial patch on this website. His site was down earlier due to humongous load (‘half the planet is downloading WMFFIX_HEXBLOG14.exe’), but is back now. The patch has also been mirrored by a number of sites including, GRC.com, Sunbelt Software, Antisource. F-Secure and Internet Storm Center (SANS) recommended that customers use Ilfak’s patches while Microsoft puts its patch together.
Resources
Update: Microsoft has released a patch – it is being automatically applied to machines (Win XP SP2 atleast) with Automatic Updates enabled.
Keywords: WMF, Vulnerability, Microsoft, Ilfak Guilfanov, Patch, WMFFIX_HEXBLOG, WMFFIX_HEXBLOG14, GRC.com, Window, Patch Schedule, F-Secure, Internet Storm Center, SANS, FAQ, Securiteam, Advisory