~ Resolution ~ The official patch is available 5 days ahead of initial schedule! See instructions below.
1) IF you happen to be such a tech-head that you enabled a Software Restriction Policy, then either set it to not apply to local Administrators, or revert it to Unrestricted.
2) Uninstall the UNofficial patch if you used it. Then reboot.
3) Go to http://www.microsoft.com/technet/sec.../ms06-jan.mspx, scroll down to Affected Software and Download Locations and expand it with the + sign. Click the link next to your version of Windows, and go get your patch
4) Reboot the computer after installing the patch.
5) After the reboot, if you had unregistered the Windows Picture & Fax Viewer, you can now re-register it with the command regsvr32 %windir%\system32\shimgvw.dll (paste this into Start > Run and click OK).
(no, there's no patch for Win98, WinME, or Win95 or Win3.11. They're past the end-of-life phase, folks )
~ Update 5 ~ This exploit is now being used in Spam emails, Instant Messaging worms, banner advertisements (!) and thousands of malicious websites. An unofficial but reputable patch has been added to the Actions list below, and is said to work for Windows2000 and WindowsXP.
If your computer displays a maliciously-constructed .WMF image file (in an email, on a web page, etc), this exploit will run itself without you doing anything. So just visiting a website that's displaying one of these pictures is enough to get infected. There are tons of other ways this could be used to infect you, so take precautions or you may end up face-down in a huge pile of nightmare spyware/adware/viruses/Trojans.
If you have WindowsXP or Windows2000, download and run this unofficial patch: get the patch from here. Once the vulnerability has been patched "officially" by Microsoft, you can uninstall this unofficial patch using the Add/Remove Programs in Control Panel, it'll be listed. Disclaimer: I haven't tested this on a Windows2000 computer but the Internet Storm Center says it's ok. This patch is endorsed by F-Secure (antivirus company), the Internet Storm Centre, and by Sunbelt (antispam/antispyware/firewall vendor) as the best single blanket defense.
If you have WindowsXP, also click Start > Run, paste this into the box and click OK:
regsvr32 -u %windir%\system32\shimgvw.dll
This "switches off" the most vulnerable piece of WindowsXP for the moment. Once the vulnerability has been patched, you can switch it back on with this command (same one except no -u in it):
If you have WindowsXP with Service Pack 2, enable Data Execution Prevention completely Right-click My Computer on your desktop screen or Start menu, and choose Properties. Then do like shown in the picture below. This will only help if your computer's CPU has "hardware DEP" support. If you're curious whether your CPU has hardware DEP capabilities, feel free to ask in the thread
Update your antivirus software's signatures Checking for updates a couple times a day would not be overkill.
If your antivirus software is old-version stuff, get a current-generation version of it. If your antivirus software is a version more than a year old, it's time to move on.
If you have no antivirus software, consider using a basic free one, or install a trial version of a big-name one.
- I recommend Kaspersky Antivirus Personal 5 if you want to buy one. 30-day trial version. Video clip showing how to configure it for maximum protection: right-click this link and Save Target
- You can also get trial versions of McAfee's home-user stuff from this page and Symantec/Norton's from this page.
- The free version of AntiVir is generally regarded as the best freebie antivirus for Windows (from a detection standpoint): http://www.free-av.com You must run the updates manually, and it downloads the whole virus database every time, so it's a bit unwieldy for dial-up users.
- Don't use more than one antivirus software at a time, because they can clash.
Visit the Windows Update web site every few days to get a patch for the vulnerability when it's ready I'd guess Microsoft will take swift action on this vulnerability and have a patch ready in a few days.
Enabling the Automatic Updates feature on WindowsXP or Windows2000 would be another way to get the patch as quickly as practical.
Look for the Automatic Updates feature in Control Panel
If you have Microsoft Office2000 or later, check your system at the Office Update site as well. You may need to go back for several rounds of updates if you're way out-of-date.
If you have Google Desktop installed, check for updates for it frequently and consider disabling it for now, since it has already been documented by F-Secure that Google Desktop will auto-infect systems when a malicious .WMF file arrives. This is why I'm thinking these could easily spread via P2P networks, since the arrival of the file would trigger exploitation on systems with Google Desktop installed.
Hope that helps someone
Microsoft's preliminary bulletin, for those who are interested.