Network News

X My Profile
View More Activity

Microsoft to Fix Windows Flaw Today

Well, Security Fix called it. After considerable backlash from the security community for saying it would wait until next week to issue a patch for a critical flaw hackers and viruses are exploiting in Windows, Microsoft did an about-face today, announcing that the patch would be released today.

"Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned. Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release."

Microsoft said the update should be available for download on its Microsoft Update site as of 5 p.m. ET.

Redmond also said it plans to release additional updates Tuesday on its regular patch-release cycle, including one to mend a security hole in Windows and other to fix a problem in Microsoft Exchange and Microsoft Office. Both of those flaws Microsoft labeled "critical," meaning it believes hackers and viruses could exploit them to break into vulnerable Windows machines.

Update, 4:45 p.m. ET: Microsoft says the patch should already be up on its download site by now. A lot of people have written in asking what they should do if they have applied the third-party patch or the registry hack/workaround (unregistering that .dll file). Most of these instructions were cribbed from the SANS Internet Storm Center's advice.

1. Reboot your system to clear any vulnerable files from memory
2. Download and apply the new patch
3. Reboot
4. If you installed one of the unofficial, third-party patches, you may uninstall it by using Add/Remove Programs.
5. Re-register the .dll if you previously unregistered it. To do this:

* Click Start, click Run, type "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks, and then click OK.
* A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box.

6. Reboot one more time just for good measure

One more thing: Don't forget to join us tomorrow (Friday, Jan. 6 at 11 p.m ET) for our bi-weekly online chat -- Security Fix Live -- where I'll be tackling your questions on this and on all things security related.

By Brian Krebs  |  January 5, 2006; 2:46 PM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Fake Anti-Spyware Makers Settle Fraud Charges
Next: MS Windows Image Problem, Round 2?


Should the unofficial patch be uninstalled before installing the Windows one, or is it OK to do it on top of the other one?

Posted by: Alison | January 5, 2006 3:16 PM | Report abuse


It shouldn't matter which order you do it in. But it would probably be a good idea to uninstall the third-party patch via Add-Remove programs option directly before applying the Windows patch.

Posted by: Bk | January 5, 2006 3:24 PM | Report abuse

What about those of us who unregistered that DLL? Do we need to re-register it?

Posted by: William | January 5, 2006 3:38 PM | Report abuse

The patch has been released.

Posted by: anonymous | January 5, 2006 3:46 PM | Report abuse

Direct link to all versions of the patch...

Posted by: JT | January 5, 2006 3:48 PM | Report abuse

We still need some kind of coordination between the folks who specialize in discovering these security holes and the people who must fix them, i.e. Microsoft. It does no good to post the info openly and then say it's Redmond's duty to fix it right away. Software fixes themselves can be a big risk if not done and tested carefully. Considering there are hundreds of millions Windows machines out there, the risk of a bad fix is very real. What I am trying to say is Microsoft should be given a 'window' of say 72 hours to address a problem before making it public and exposing all of us needlessly. This metafile situtation was handled very poorly by its discoverer.

Posted by: Tom | January 5, 2006 4:17 PM | Report abuse

Tom: As I understand the situation, they had given Microsoft an early warning. Websense (the group that reported the hole) did not make it public until they saw others taking advantage of the hole. Websense then went public to let everyone know the problem was out there.

Microsoft in their initial announcement even refrained from their usual admonishment about going public with the vulnerability. To me, this indicates Microsoft was aware.

I think Websense did much better than most others that expose these vulnerabilities.

I do not think Microsoft did anything wrong other than potentially muddling the PR side of it. It probably should have been caught in the security audits for SP2, but that is the fault here if any.

Posted by: JT | January 5, 2006 4:25 PM | Report abuse

what is the name of the thirdparty patch that i need to remove? i stupidly installed it without paying attention to the name. thank you.

Posted by: need help | January 5, 2006 4:58 PM | Report abuse

I went to the Microsoft site to download the patch. The first thing it told me was it wouldn't talk to me because I wasn't using Internet Explorer as my browser. (Why do I hate Bill Gates?)

So I closed Opera and opened up IE like a good little Windows drone and went back to Bill's wonderful world of Windows and was told "To continue, you must first add this website to your trusted sites in Internet Explorer."

To do this, you have to add three different variations of the site's URL to IE's list of trusted sites. However, two of the variations provided have only an http:// prefix (no "s"), and when I try to add them, I get an error message from IE saying "Sites added to this zone must use the https:// prefix. This prefix assures a secure connection."

So IE won't allow me to proceed and add Microsoft as a trusted site, so I can't download the patch, so I remain vulnerable due to Microsoft's design flaw. I feel like I'm getting totally hosed here.

Thank you, Bill.

Posted by: Skipjack | January 5, 2006 5:42 PM | Report abuse

Internet Explorer does not automatically recognize Microsoft as a trusted site in the first place? Oh, the irony...

Posted by: Informatica | January 5, 2006 5:53 PM | Report abuse

Hey Skipjack,

As someone else already pointed out in the comments below, you can download the Microsoft patch directly from this site by following this link (it should work in any browser):

Hope that helps.

Posted by: Bk | January 5, 2006 6:16 PM | Report abuse

needhelp, the name of the unofficial fix you want to remove is Windows WMF Metafile Vulnerability Hotfix 1.4

It's probably located at C:\Program Files\WindowsMetafileFix on your computer

Posted by: Alison | January 5, 2006 6:44 PM | Report abuse

regsvr32 %windir%\system32\shimgvw.dll

copied and pasted to your run command will re-register your dll.

GRC website will provide you with a small test program writen by IIflak, the quick patch provider.

Posted by: George | January 5, 2006 7:44 PM | Report abuse

I just downloaded the latest and supposedly greatest from Microsoft, and my computer is not one bit better. Still infected with this crap. Any advice would be much appreciated.

Posted by: Brad | January 5, 2006 7:54 PM | Report abuse

So... is MS making this patch for 98 as well? I've got elderly family who have 98 on their PCs, and I don't want the (*&#$@ aggravation of teaching them to use 2k. it's just different enough to be a pain in the arse.

Posted by: captain Wibblebaskets | January 5, 2006 8:03 PM | Report abuse

capn Wibblebaskets -- No, Microsoft says it is not releasing a patch for Win 9x/ME. It says there is something about the way those systems check for errant activity that never got ported into NT (win2k and beyond). So, according to them, Win9x/ME systems aren't exploitable.

Posted by: Bk | January 5, 2006 8:08 PM | Report abuse

To Brad:

Installing this patch does not remove malicious software; it prevents further exploits using this particular flaw. If you want help removing spyware, I suggest you head over to the "cleanup" forum at for tips. Be sure to read the FAQs there for information too.

Posted by: William | January 5, 2006 9:54 PM | Report abuse

Only certaim Windows are being fixed because others are not presently considered at risk. Given Microsoft are less able to anticipate ways of circumventing security that certain people are at exploiting weaknesses, I am not reassured.

Posted by: Steve H | January 6, 2006 3:06 AM | Report abuse

need help,

To add to Alison's comment, it could be listed as a different version such as 1.2. You can remove it using Add/Remove programs.

Posted by: anon | January 6, 2006 8:55 AM | Report abuse

allison and anon: thank you.

Posted by: need help | January 6, 2006 12:37 PM | Report abuse

Crud. The patch won't install, because I don't have SP1. Since I don't have a broadband connection, the only way to get SP1 is to order it on CD.

With a dial-up connection, a Windows computer is like an old sinking ship, that keeps springing additional leaks.

Posted by: John Johnson | January 6, 2006 3:01 PM | Report abuse


SP1 is OLD. You need SP2 for XP and even then there must be a hundred other patches afterward. With Verizon offering DSL at 14.95, if they have it in your area you may want to consider it. There are cheap cable deals out there too.

Posted by: Tom | January 6, 2006 6:03 PM | Report abuse

>SP1 is OLD. You need SP2 for XP<

According to HP, SP2 has never been tested on my 2002 model. It's an "install at your own risk" upgrade, that may "break" some of the computer's preinstalled software.

Posted by: John Johnson | January 6, 2006 6:22 PM | Report abuse

@ Skipjack:
>>To do this, you have to add three different variations of the site's URL to IE's list of trusted sites. However, two of the variations provided have only an http:// prefix (no "s"), and when I try to add them, I get an error message from IE saying "Sites added to this zone must use the https:// prefix. This prefix assures a secure connection."

Did you uncheck the box labeled "Require server verification (https:) for all sites in this zone."?

Posted by: Mark Odell | January 6, 2006 10:04 PM | Report abuse

I have the latest test files created from version 1.17 both OFFLINE and ON-LINE as well as zip files for the last two prior releases 1.16 and 1.14 located here:,15188688#15188722

They can be used for testing, also there is an patch NOT supported by Microsoft for those running Windows 98 here:

Posted by: ZOverLord | January 6, 2006 11:22 PM | Report abuse

Stupid Blogware trackback process. It seems every time I update the article I did. It re-pings any trackbacks listed for that article. Thus the reason you see the darn thing listed multiple times above. This wasn't an attempt at trackback Spam by any means. Sorry for the mess. I know Blogware is working on sorting out their current trackback system.

Posted by: Iggy | January 7, 2006 6:10 AM | Report abuse

The saga continues. I tried odering Windows XP SP1a on Microsoft's web site, but the [Order CD] button is a dead link that results in a "The page cannot be found" error message. I suppose I will have to try another ordering method. -sigh (As previously noted, I have a dial-up connection, so I can't download the upgrade.)

The [Order CD] button for Windows XP SP1a - English is a dead link. When it is clicked, a "The page cannot be found" error message results. I can't download the SP, because I have a dial-up connection. The problem is on page I can't install the super critical "Microsoft Security Bulletin MS06-001" patch, because I don't have SP1 installed.

Posted by: John Johnson | January 7, 2006 11:58 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company