I don't know how many people have noticed this because of the WMF stuff, but there are also vulnerabilitys for DOS and Code Execution on BES (Blackberry Enterprise Server) when attempting to handle TIFF and PNG images for the Blackberrys connected to it. Basically special image files emailed to a Blackberry and there's issues.
Back on the WMF thing, it looks like email isn't a direct attack vector - one has to click a link in an email. Most people will click links in email without thinking, but at least it's something. That link also mentions no problems with the patch which is false. There's IE issues and printing issues. The latter is sorta scary, since the vulnerability is linked to printing, so it appears poorly designed/outdated drivers could be broken by a real patch too.
My favorite workaround so far is probably unregistering the DLL as Microsoft suggests, but also changing ACLs to prevent shimgvw.dll from reloading.
In other news, a good summary is available from SANS ISC, which mentions that DEP available in XP SP2 could help with the right system. "However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit."
Also, there's an interesting writeup on the whole issue with image file vulnerabilities (which have been found in pretty much every OS in the last year or two, although not as a designed in feature like WMF).
Jesper Johansson, a security guy at Microsoft, has a good analysis (his, not official Microsoft opinion) of the benefits and drawbacks, both technical and procedural, of different ways of dealing with the WMF Exploit before an official patch is available.
There's now a worm spreading the exploit around on MSN. If you have no clue what I'm talking about, you can read about the exploit. I'm not sure about the worm specifically, but there is some nasty code out there for this. Basically it takes advantage of Windows looking at the content and not the extension to send it as a .jpg, it splits it over the Ethernet MTU (biggest a single packet can be on the network, 1500 bytes, actually a bit less actual data after IP and TCP) so sniffers that don't reassemble streams can't detect it, plus the usual random size/name/method of implementation. This should be a fun one...
Unfortunately Microsoft says the only fix at this point is to unregister a dll, but the problem is really in gdi and not that one, so if many people do that there'll just be modifications made. Windows users may want to take appropriate action.
Copyright ©2000-2008 Jeremy Mooney (jeremy-at-qux-dot-net)
