Microsoft Enters 2006 with Yet Another Major Security Problem - 03 Jan 2006

Welcome to Microsoft's credibility problem. Late last week, the company was confronted by news that a newly discovered vulnerability in the Windows Metafile Format (WMF) image file format--a vulnerability that affects virtually every 32-bit Windows version ever made, including fully patched Windows Server 2003 and Windows XP systems--was both more serious than previously expected and already being exploited by malicious hackers. The software giant responded by saying that it would fix the problem by January 10, 2006, at the earliest, which is the date of its previously scheduled monthly security patch release for January. There's just one problem: This flaw is so serious that security experts now believe we can't wait that long.

On Sunday, security researchers at the SANS Institute Internet Storm Center warned that Windows users shouldn't wait for Microsoft's patch but instead install a third-party patch that SANS evaluated over the weekend. To find out more about this patch and grab the free download, see the SANS WMF FAQs at the URL below.

I'm not sure I can recommend installing this patch, but consider this fact: You can be exploited by browsing the Web, or even by simply downloading an infected email. It doesn't matter how up-to-date your antivirus solution is, and it doesn't matter which browser you use, although Mozilla Firefox does offer a level of prompting that's not found in Microsoft Internet Explorer (IE).

Scared yet? You should be. And it's just going to get worse, as newer, more dangerous attacks are launched in the week before Microsoft issues a patch. My guess is that this isn't the kind of New Year Microsoft envisioned for Windows.