Microsoft makes the world safe for porn.
Catching many security professionals by surprise, Microsoft has released an "off-cycle" patch for the recent WMF exploits:
A couple of things to note:
- Off-cycle means that Microsoft thought that this was important enough to ship early. That's a hint that they reckon that a significant number of their users will be affected by this, and the influx of new tech support calls and bad PR due to the patch will be less than the influx of new tech support calls and bad PR due to the exploit.
- Microsoft have been getting much better at providing reliable patches, so that "significant number" should actually be relatively low in percentage terms.
- The behaviour being exploited is not a buffer overflow. It's doubtful whether you can call it a bug. It's by design. The WMF design is lifted straight from the API instructions you'd send to a printer, and those APIs allow the calling program to specify "in the event of an error rendering this image, call me back", and provide an address to call into. Where this breaks is in allowing a data file to contain that code.
- Data files are code. Code files are data. There is no spoon.
- Unofficial patches are generally inadvisable, for most users. "To avoid unknown third parties installing code on my machine, I will install code on my machine from an unknown third party." Make sure you have reason to trust any third party whose code you install. Maybe the unofficial patch floating around for the WMF exploit is good and trustworthy, but it's a risk you should consider.