Quick Background:

 The active exploitation of a very serious vulnerability in all versions of Windows was discovered in late December.

 Word of this spread rapidly through the hacker community — many of whom where presumably on holiday vacation from school, bored, and looking for something to do.

 So several days later nearly one hundred different instances of exploitation of this newly discovered vulnerability had been found.

 Note that this is not a "new vulnerability" — it (and perhaps other similar bugs) have been lying unknown in Windows since 1991. What's "new" is the discovery of this long-present vulnerability in Windows' metafile processing.

 Almost immediately there were reports of an MSN Messenger worm, and now F-Secure is reporting that "Happy New Year" SPAM eMail is carrying an exploit.

 Anti-Virus vendors quickly updated and began pushing out their A-V signature files. These have been effective, but a new very flexible exploit generation tool has appeared that's able to create so many different variations of the exploit that A-V signatures are having trouble keeping up.

 Microsoft responded with an acknowledgement of the problem which included a very weak workaround (the shimgvw.dll unregistration) that provides very little protection. Theirs is not a cure, and it is not known how long the Windows user community will now be waiting for a true patch from Microsoft.

 Ilfak Guilfanov (see GREEN box below) produced a highly-effective true patch which successfully suppresses all known exploitable vulnerabilities for anyone using Windows 2000, XP, server 2003, or 64-bit XP. No patch is available for Windows 95, 98, ME or NT, and none is expected to be forthcoming. But anyone using Windows 2000, XP, server 2003, or 64-bit XP should IMMEDIATELY install Ilfak's exploit suppressor into all of their systems.

 A special (short) edition of "Security Now!" — On Sunday, January 1st, I phoned into Leo Laporte's KFI "Tech Guy" radio program to inform him and his radio audience of the availability of Ilfak's new patch and real solution. Leo produced a special edition of our weekly "Security Now!" audio podcast. Since this was by telephone the audio quality is not great, but the high-quality and lower-quality MP3 audio files are available here:

    Higher-quality (larger) KFI Radio program update (64 kbps, MP3, 5.4 MB)
    Lower-quality (smaller) KFI Radio program update. (16 kbps, MP3, 1.4 MB)

 Ilfak has produced a WMF Vulnerability Checker — Many users want to verify that their "exploit suppressed" systems are now safe to use. And others want to see whether their anti-virus A-V systems are now detecting some WMF exploit code. So Ilfak has produced a simple WMF Vulnerability tester:

    Download Ilfak's WMF Vulnerability Checker from GRC (3.6 kb)

You can read more about his checker, and users' experiences, on his Vulnerability Checker blog page.

 An important Note about A-V signatures: As useful as anti-virus protection is as a first line of defense, new WMF exploits are succeeding at bypassing them. So A-V cannot be relied upon. The only safe measure is to install Ilfak's vulnerability suppression solution until Microsoft has updated the GDI32.DLL file and permanently resolved this problem.

 Windows 98/SE/ME users: Microsoft's original advice to "unregister the shimgvw.dll" (shell image viewer) was never correct or useful on those platforms. The good news is that all current WMF exploits appear to be non-functional on the older Win9x vintage platforms . . . so you will likely be okay until Microsoft has updated your system with the next security patches. There is no short-term workaround for Windows 9x/SE/ME users.

 Other new links: See the bottom of the RED box below for many "original discovery" links.

    SANS "Handler's Diary" update for January 1st, 2006

    F-Secure's ongoing coverage and updates

 Get generic WMF Vulnerability news — from GoogleNews:

The Tack Tech page link above is one of many pages on the web describing how to run applications as services. You can simply "Google" for the string "SRVANY" to find many more . . . including a page by Microsoft.

Additionally and conveniently, the Tack Tech page provides a ZIP file containing the two Microsoft Windows utilities required to perform this work: http://www.tacktech.com/pub/microsoft/service/srvany.zip

 McAfee's Free WPA Software
If you have older WiFi equipment that won't run under WPA, you may be able to use McAfee's free WPA client in its "Pre-Shared Key" or "Disable Authentication" mode to get your older equipment running.

However, since McAfee is desperately trying to sell you more than you need (a dynamic WiFi endpoint authentication service), you MUST READ THIS page carefully and be sure to choose the "Disable Authentication" option when installing the client. You don't need their for-pay dynamic authentication subscription service since the use of your system-wide pre-shared key is completely sufficient.

 The Gravity Newsreader  v2.5 — a 2.5 MB download from GRC's server.
Just a reminder that GRC (this site) runs a set of really terrific Internet security and privacy oriented newsgroups. Discussions page, (linked at the bottom of every page), provides an introduction to our groups. And we now have a very active and terrific "Security Now!" group on the server where many listeners are participating. If you've never checked it out and if you just can't get enough of solid security and privacy discussion, our news server is the place to go!

USENET-style newsgroups have been around for so long that most PCs already have a newsreader built-in. So you can easily configure the newsreader that you already have. Or you can use my personal favorite newsreader, "Gravity" which is free and very capable. Gravity is a highly-configurable and capable USENET-style news forum reading and posting application. Once it's set up and running there's no better way to participate in online threaded discussion forums.