Did I hear something about this back in November? No, that was a different problem, affecting both WMF and EMF (Extended Metafile) formats. For those keeping track, the earlier vulnerabilities were profiled in Microsoft Security Bulletin MS05-053; the newer problem is covered in Microsoft Security Advisory 912840. The patch issued for the earlier vulnerability doesn't correct the newer problem.

The solution (so far)

What do the patches do? According to Ilfak Guilfanov, the patch writer, the unofficial Hexblog patch blocks access to the Escape() function in gdi32.dll, making the vulnerable SETABORTPROC subfunction unreachable. After running the patch, a user should also deregister the shimgvw.dll library. Hexblog's fix works on Win2000, XP, XP64 and Win2003 systems.

Microsoft is, of course, working on a patch. A prerelease version was briefly posted on a developers' discussion board, probably in error. Microsoft says the release version will not be available until Jan. 10. The company recommends that users deregister the shimgvw.dll library until the official patch is installed.

Is a non-Microsoft patch safe? Microsoft and some analysts such as Gartner Inc. are suggesting that sysadmins not install the Hexblog patch, noting that most major antivirus packages have issued up-to-date signatures that handle the problem. Other reputable sources, such as SANS Institute's Internet Storm Center, recommend Hexblog installation. The U.S. Computer Emergency Readiness Team (US-CERT) is noncommittal but does link to the Hexblog patch.