What if I just block the WMF extension? Nope. Other graphics files, with extensions such as .bmp, .gif and .jpg, might also be problematic, since the rendering engine examines file headers (not extensions) when determining file type.

What about just deregistering the shimgvw.dll library? Microsoft says that'll do for now, but outside security experts note that shimgvw.dll is only an intermediate step, merely making the call to the function in gdi32.dll. An exploit could be written to call gdi32.dll directly and thus compromise the machine. Besides, Windows Picture and Fax Viewer, which uses the shimgvw.dll library, is merely the default program for WMF and graphics files in XP and Server 2003. Desktop search software such as Google Search could also trigger the vulnerability if such a program happened across an infected file, as detailed in F-Secure's testing blog. Additionally, IBM has issued a bulletin advising Lotus Notes users that the company is investigating whether Notes' file viewer will execute problematic code; Symantec seems confident that Notes is definitely at risk.

If I install the unofficial patch, what do I do with the official patch? Guilfanov claims there will be no conflict between the two but advises users to uninstall his fix after they've installed Microsoft's. It will be listed in the Add/Remove programs window. Users should also remember to reregister shimgvw.dll at that time.

The human factor

Who's this Guilfanov guy? Ilfak Guilfanov wrote IDA Pro, a popular disassembler program used to investigate malware of this sort at the binary level. Currently, he's employed by Belgium's Datarescue, which released a preview of the next version of IDA Pro on December 28 -- the day after the WMF problem was revealed.