Despite previous indications that the Windows Meta File (WMF) security exploit patch will be released on January 10th, Microsoft have released an update via MS Update to fix the WMF issue.
The update, brought to our attention by our forums moderator, Frank, weighs in at 196KB and is dated today (5th January 2006). It is rated critical for Windows XP, Windows 2000 and Windows Server 2003. For users of Windows 98 and Me, the exploit is rated non critical and therefore won"t be patched. The following extract is from the Technet Bulletin:
Does this update contain any security-related changes to functionality?
Yes. The change introduced to address this vulnerability removes the support for the SETABORTPROC record type from the META_ESCAPE record in a WMF image. This update does not remove support for ABORTPROC functions registered by application SetAbortProc() API calls.
If you installed the patch we recommend earlier in the week, we advise you to remove that first before installing Microsoft"s update. For more details on the fix, see below for the full security bulletin