Microsoft Rushes Out WMF Patch; 98, Me Still Vulnerable

By Michael Santo
Contributing Writer, RealTechNews

Just a few days after announcing they would release the fix to the Windows Metafile vulnerability on Patch Tuesday (1/10), Microsoft rushed the update out yesterday. There was initially some confusion in the press, as News.com said the patch was out early, while ZDNet said the patch was leaked accidentally, then recalled.

However, I went to Windows Update and successfully installed it, so the patch is there. One problem still exists. Microsoft has only released patches for Windows 2000, Windows XP, and Windows 2003 Server. Now, I realize that Me and 98 are no longer supported (though Me is still under extended support), but if you go to the Lifecycle Support pages for Me and 98 you’ll see the following line: Critical security updates will be provided on the Windows Update site through June 30, 2006.

We Say: Get the patch if you don’t have Me or 98, and especially if you have Trend Micro as your antivirus (according to AV-Test, it was the only AV not covering all variants as of Wednesday).

As far as Me and 98 go, Microsoft Security Bulletin MS06-001 indicates in the FAQ section that although “Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions.” Translation: not a critical problem for these OSes (according to Microsoft), so don’t expect a fix. We feel it would be the right thing to do, especially since these OSes are still in use in much of the world, especially Asia. Odds are it won’t happen, though.