As an example of how, even though people cry wolf too much, nonetheless sometimes, as in the current the Microsoft WMF vulnerability, the wolf really is at the door, or in this case in the image. Unlike many web-related vulnerabilities, this one doesn’t require the user to do anything to take effect, because it’s an image vulnerability. Internet Explorer (IE) just goes ahead and executes the vulnerability when it sees such an image. Recent versions of Firefox at least ask the user before opening the image, but many users will say yes because it’s an image, and people think images are safe.

Microsoft has not provided a fix, even though this problem has been around for a week or more now. SANS is predicting that Microsoft won’t provide any fix for Windows 98, instead if you want to be safe, you’ll have to upgrade.

Meanwhile, an individual has provided a patch that seems to work, and SANS has tested it and approves.

What does it mean when the world’s largest software vendor can’t release a timely patch to one of the worst-ever vulnerabilities in its software?