I'm sure your all aware of the major exploit in the windows OS but figured I'd post a link that will allow you to check and patch your system before Microsoft's releases their own patch on January 10th.

better safe than sorry.

Vulnerability checker and patch:
http://www.grc.com/sn/notes-020.htm

Both F-Secure and the Internet Storm Center recommend not waiting for
Microsoft and using Ilfak's patch:
http://news.zdnet.com/2100-1009_22-6...tag=zdnn.alert

have a good one!

Marc

Thanks for the links Marc. This is a very critical patch to have installed.

Be sure to set a restore point, or backup your system before applying the above mentioned "unofficial" patch.

Personally I'm gonna wait for the one from Microsoft. They're going to know their own product a lot better than someone else and it'll undergo proper testing, etc. Plus you won't get support from Microsoft on a patch that they didn't make.

thanks for alerting us, marc, and for sharing the link.

MS has released an official patch now, for anyone reading. It got so much recognition that they didn't dare wait 'til their usual second Tuesday of each month.

As for not installing unofficial patches: usually. This "feature" of WMF allows an attacker to insert any arbitrary code into an image file that will be run anywhere an image could be displayed. In any browser viewing any page, your email etc. You don't need to click or accept or anything for this code to be run, and it will be run with the same permissions as the current user (and in Windows, that means 95% of the time, administrator). Waiting for MS to release a patch (and at first they said they were going to stick to their usual "Update Tuesday" schedule, which would mean another week) could be disastrous. The patch was written by a known author and has been recommended by trusted sources, there is no more risk in installing the temporary unofficial patch then there is running without it. But I do agree with you on the whole, but in this case I think it was better to install the unofficial patch.

I see what you're saying, but I tend not to visit any sites that could potentially be exploiting that vulnerability, anf my e-mail client is set not to display images, therfore I consider it low-risk.