Microsoft rushed out a temporary fix on Monday to defend against a dangerous new Windows Meta File vulnerability (http://www.kb.cert.org/vuls/id/181038) that became the focus of numerous exploits late last week. Redmond's workaround (http://www.microsoft.com/technet/security/advisory/912840.mspx) disables some functions in Windows and is only partially effective. Fortunately, there is an alternative. Security researchers at the SANS Institute advise users to both unregister affected library (DLL files) and to use an unofficial patch, as explained here (http://isc.sans.org/diary.php?storyid=994).

The WMF vulnerability (http://secunia.com/advisories/18255/) exists in computers running Microsoft Windows XP (SP1 and SP2) and Microsoft Windows Server 2003 and stems from a flaw in a utility used to view picture and fax files. The security flaw might be exploited by inducing victims to view maliciously constructed sites, particularly where IE is used as a browser, or when previewing *.wmf format files with Windows Explorer. Hackers have created a range of Trojan programs which exploit the flaw. Microsoft said (http://www.microsoft.com/technet/security/advisory/912840.mspx) it plans to release a patch against the security hole on 10 January as part of its regular "Patch Tuesday" monthly update cycle. ®

Related stories

MS releases emergency IE fix (27 September 2006)
http://www.channelregister.co.uk/2006/09/27/ms_emergency_patch/
MS mulls emergency IE fix (26 September 2006)
http://www.channelregister.co.uk/2006/09/26/ms_ie_fix_plan/
Unofficial IE patch saves humanity (25 September 2006)
http://www.channelregister.co.uk/2006/09/25/unofficial_ie_patch/
MySpace adware attack hits hard (21 July 2006)
http://www.channelregister.co.uk/2006/07/21/myspace_adware_attack/
Hackers use BBC story to bait IE exploit (31 March 2006)
http://www.channelregister.co.uk/2006/03/31/ie_exploit_bbc_bait/
eEye issues workaround against unpatched IE flaw (28 March 2006)
http://www.channelregister.co.uk/2006/03/28/eeye_ie_workaround/
MS issues Office überpatch (15 March 2006)
http://www.channelregister.co.uk/2006/03/15/ms_march_patch_tuesday/
UK.gov repels zero day WMF attack (24 January 2006)
http://www.channelregister.co.uk/2006/01/24/uk_gov_wmf_attack/
Windows support program bent to fit (12 January 2006)
http://www.channelregister.co.uk/2006/01/12/windows_support_security/
Microsoft backtracks on WMF patch (6 January 2006)
http://www.channelregister.co.uk/2006/01/06/microsoft_wmf_vulnerability_patch/
Windows beats Linux - Unix on vulnerabilities - CERT (5 January 2006)
http://www.channelregister.co.uk/2006/01/05/windows_linux_unix_security_vulnerabilities/
Windows users waiting for serious fix (3 January 2006)
http://www.channelregister.co.uk/2006/01/03/windows_meta_file_hack/
Trojan alert over unpatched Windows flaw (29 December 2005)
http://www.channelregister.co.uk/2005/12/29/wmf_trojan_alert/
MS releases IE überpatch (14 December 2005)
http://www.channelregister.co.uk/2005/12/14/ie_uberpatch/
Trojan exploits unpatched IE flaw (1 December 2005)
http://www.channelregister.co.uk/2005/12/01/ie_exploit_trojan/
Critical MS patch fixes graphics bugs (9 November 2005)
http://www.channelregister.co.uk/2005/11/09/ms_november_patch_tuesday/
Exploit for unpatched IE vuln fuels hacker fears (19 August 2005)
http://www.theregister.co.uk/2005/08/19/0day_ie_exploit_fears/
Firefox exploit targets zero day vulns (9 May 2005)
http://www.channelregister.co.uk/2005/05/09/firefox_0day_exploit/