"Ilfak Guilfanov's HexBlog web site has been administratively suspended due to excessive use. (Yeah, no kidding!)," writes Steve Gibson. He's one of the people hosting Guilfanov's unofficial patch for the WMF vunerability. This is up to v1.4, but if you have already installed one version, you don't need another.
CastleCops has taken over the hosting of the Hexblog forum and FAQ, and is also hosting the WMF fix.
The SunBelt blog is also hosting the patch here
Microsoft has published another response on its Security Response Center Blog. Kevin Kean says: " we have finished development of a security update to fix the vulnerability and are testing it to ensure quality and application compatibility. Our goal is to release the update on Tuesday, January 10, 2006, as part of the regular, monthly security update release cycle, although quality is the gating factor."
The more formal version is the Microsoft Security Advisory (912840).
Meanwhile it's not clear how many people are at risk. At eWeek, Larry Seltzer says: "I have been testing a lot tonight and it appears to me that iDEFENSE is right: In a practical sense, only Windows XP and Windows Server 2003 (in all their service pack levels) are vulnerable to the WMF flaw. On other platforms, unless you have installed your own vulnerable default handler for WMF files, the likelihood of compromise even when a system is bombarded with malicious WMFs is low."
Avery Parker adds: "I've been testing this for a couple days now and can find no configuration that a Win98 SE test system has been compromised. I've used IrfanView on the system as well." Details here.
But as Sergeant Phil Esterhaus used to say after rollcall, "Hey, let's be careful out there."
