"Official" fix for WMF vulnerabiilty now available

An update to an earlier post:

As of the evening of January 5, 2006, an official patch from Microsoft is available to address the WMF vulnerability.

If you run Windows 2000, Windows XP, or Windows Server 2003 and have set your systems up to receive patches automatically, it should come through soon if it hasn't already; you can also go directly to Windows Update (using Internet Explorer) and download the relevant patch.

Now, let's suppose that you followed our earlier advice (which was based on the best advice available from security mavens we trust) and installed the temporary, "unofficial" patch. In this case, *after* you install the Microsoft patch and reboot your machine, you should do the following:

1. Go to Start --> Control Panel --> Add or Remove Programs and remove the temporary fix (it appears in the list as "Windows WMF Vulnerability HotFix 1.2" or something similar to this.)
   
   
2. Re-register the DLL that you temporarily disabled, by going to Start --> Run and typing the following in the dialog box:
   regsvr32 %windir%\system32\shimgvw.dll

(If you didn't install the temporary patch or disable the DLL, once you install Microsoft's patch and reboot your machine you should be good to go.)

Related articles:

• Microsoft Security Bulletin MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
• Wikipedia article on WMF Vulnerability