Microsoft has confirmed the security vulnerability in the Windows Meta File (WMF) which can be used to install any type of malicious code to your computer (mainly Viruses and Trojans). There are many variants of exploit already appearing in the internet. Microsoft is planning to release the patch next week on 10 Jan 2006 but many security experts say that it might me too little too late.
“We have reverse engineered and verified that the installation/uninstallation code in the .msi does what it says it does and nothing more”
Internet Storm Center have detailed explanation on how WMF security vulnerability and the unofficial patch work.
Web security solutions provider Websense is providing more information on WMF infected sites . Infected sites are detected in United States, Russia, Netherlands, the United Kingdom, China, and Japan at this moment.
As for myself I’ve already installed the unofficial patch and can recommend you to do so but you need to understand this is an unofficial patch which Microsoft don’t recommend but I’m simply afraid that it might be too late before they release the official patch. This security vulnerability is too serious to ignore and wait for a week. BTW, Internet Storm Center and Anti-Virus firm F-Secure both have tested and urging the businesses to install unofficial patch.