Yesterday at around 2:00 p.m. PST (9:00 p.m. UT), Microsoft released the fix for the WMF vulnerability. If you’ve downloaded the ‘unofficial’ patch, you can safely uninstall it AFTER you go to Windows Update (the link in my title) and download the patch.
The handlers at SANS.org and others have looked at the new patch. They’ve determined that it’s effective, and also that it follows the line of thought that the ‘unofficial’ patch does. It removes the vulnerable command from the program (GDI.EXE) although it still allows a method for legitimate users to utilize the command. (through API’s).
The steps for updating and removing the ‘unofficial’ patch are these (I’m quoting for the most part from http://isc.sans.org/diary.php?storyid=1019 but you need to go there to verify the method. There are different methods for uninstalling the ‘unoffical’ patch, depending on how you installed it.):
1. Reboot your computer to remove any vulnerable files from memory.
2. Go to http://windowsupdate.microsoft.com and install the updates.
3. Reboot your computer again, as required by Windows Update.
4. Go into Add/Remove programs (Control Panel) and uninstall the Windows WMF Metafile Vulnerability HotFix.
5. Reregister the shimgvw.dll file by using this command (pasted to Start—> Run…. without the quotes) “regsvr32 %windir%\\system32\\shimgvw.dll”
6. Reboot again, just to be safe.
You should be good to go then. For the people who were affected by the worms, I’m sorry. For the people who weren’t affected, I’m glad that you didn’t get hit by this one. Keep your computers updated, and stay safe and secure.