Acting outside of its regularly scheduled monthly patch release cycle, Microsoft released a bulletin, "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919) ," and an associated patch to correct vulnerabilities with Windows metafiles. The patch works on Windows 2000 with Service Pack 4, Windows XP with Service Pack 1, and Windows Server 2003 with Service Pack 1.
"Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release," the company wrote in its January Security Bulletin Advance Notification. "In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible. Microsoft’s monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft’s efforts to shut down malicious Web sites and with up-to-date signatures form anti-virus companies."
During the past week tools were released that can be used by intruders with little programming knowledge to quickly craft new exploits. Independent vulnerability testers reported that as of January 5 there were currently more than 1100 different exploits that take advantage of the Windows metafile vulnerability.
While Microsoft's patch protects supported operating systems, countless systems still use Windows NT, Windows ME, Windows 98, and Windows 95, all of which remain vulnerable. Microsoft said it doesn't consider the vulnerability on those operating systems to be critical and as such it will not release patches for them. However, cross-platform anti-virus maker Eset released a unofficial patch that helps protect those operating systems.
