For people who do not know it, there is a not so new (at time of writing) critical vulnerability in almost all recent versions of Windows. You can read the Microsoft advisory here. This vulnerability is extremely dangerous because it can be triggered with no specific action from the user. It can lead to remote code execution, which means that an attacker can execute the code he wants on your computer, without your consent, and with the rights of the user using the computer.

There is currently no patch from Microsoft to fix this problem, and as this bug is being actively exploited in the wild by malicious persons, I strongly suggest that you apply the hotfix that Ilfak Guilfanov made just a few hours ago. He speaks about it on his blog. Download and install the patch from his blog as soon as you can after having read Ilfak's post.

I did not read the source code of the patch very carefully to check if it is good or not, but Ilfak is one of the head developpers of IDA, a very well known disassembler. F-Secure, an antivirus company, recommends applying the patch on its blog. That's why I think that you can trust his hot fix

If you cannot apply the patch for any reason, you should try to protect your computer until a fix from Microsoft is available by following the steps described in Microsoft advisory under the "Suggested actions" tab. Anyway I think that Ilfak's hotfix is better than the fix of Microsoft which is NOT a total fix.

I cannot say it enough: you must do something quickly or you will very likely get some worm or spyware on your computer because of this security flaw.

Why I am publishing this on this blog ? Because what Ilfak made is a huge improvement, as he was able to hack one of Windows core DLLs so as to remove a security vulnerability ! Also because I am involved in computer security discussion groups and I feel concerned about security issues. Finally, I feel some shame because I have been trying this afternoon to modify the shimgvw.dll and I didn't succeed... and this guy did ! (he didn't modify the DLL, instead he modified another part of the system which is used by the exploit) And he did a very good job by preventing any exploitation of the security hole without changing the behavior of the system in normal operation. When I tried to modify the buggy DLL, I wanted to prevent it from recognizing WMF and EMF images: as it will no longer parse these files at all, exploitation would not be possible anymore, and it would not annoy users a lot because WMF/EMF files are not widely used.