WMF vulnerability advisory update
Microsoft has updated their security bulletin on the WMF vulnerability to note a couple things. One, they acknowledge that embedded images within a document can trigger the exploit. Previously they said this needed further investigation. Second, they are seconding what I’ve been finding that Windows 98 and other pre-XP systems are not as critically at risk for this vulnerability….
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates. For more information about the security update support policy for these versions of Windows, visit the following Web site.
Unfortunately it’s their reason for not issuing a fix for those platforms, which mens the second unofficial patch mentioned earlier today from an antivirurs company may be the only patch those systems get.
It’s not comforting that they will not release an update because it’s not critical. If you recall there was a recent 0-day explorer exploit that was a variation on an earlier known vulnerability that originally was not deemed critical.