Late last night, Microsoft patched another critical flaw for Internet Explorer related to its handling of WMF files, an issue which has given the firm an incredible amount of grief over the past few weeks.
Unlike the previous flaw, which affected basically every Windows XP and 2000 machine out there, this version of the WMF flaw is only in IE version 5.01 SP 4 running on Windows 2000 SP 4, or IE version 5.5 Service Pack 2 on Win ME. Chances of any bit-tech
readers running that configuration are fairly slim, I'd imagine - especially since most of you will be running Firefox anyway!
The problem with the WMF flaw is the same as before - it allows website owners to use images to execute arbitary code on the user's PC by using a badly-written error-handling technique.
According to The Washington Post
, this isn't a new flaw, rather a response to an old one not previous considered critical by MS:
Lennart Wistrand, lead security program manager at the Microsoft Security Response Center, downplayed reports [at the time the original flaw was found] that other WMF flaws could be used to attack IE users, saying, the glitches "are not exploitable but are instead Windows performance issues that could cause some WMF applications to unexpectedly exit."
Apparently Lennart has now changed his mind!
How will Critical security updates from Microsoft interact with its new Windows OneCare programme, which we discussed yesterday
? Will some now be classed as virus exploits, and will require the OneCare subscription? Is a flaw affecting IE4 on WinME really that critical at all? DO you believe the conspiracy theory that the WMF exploit was really a back door into Windows? Let us know your thoughts over in the forum.