Microsoft rushes out patch for WMF flaw

Amid controversy and customer demand surrounding a flaw in its Windows operating system, Microsoft on Thursday abandoned its announced timetable for supplying a fix and rushed a patch onto its Web site to correct a problem that could allow a hacker to gain control over desktops or servers.

The company said in a statement that it was reacting to "strong customer sentiment that the release should be made available as soon as possible" to patch the flaw in the Microsoft Windows Metafile (WMF) image-rendering engine. Microsoft also was feeling heat from security experts who said the vendor's response was too slow.

Originally, Microsoft had said it was testing a patch that would be available on Jan. 10, the day of its regular monthly release of patches. Microsoft found out about the WMF exploit on Dec. 27. On Thursday afternoon, the company sent out an advisory saying patch MS06-001, the company's first patch of the New Year, would be available Thursday, Jan. 5, at 2 p.m. PDT.

Microsoft plans to hold a Web cast on Jan. 6 to provide deployment guidance and answer questions. Users can sign up for the Web cast here.

Users also can consult Microsoft's Security Advisory 912840.mspx for guidance on how to prevent attacks through exploitation of the WMF vulnerability.

The WMF flaw has been the focus of a so-called zero-day exploit - malicious code taking advantage of the hole in the operating system and either showed users the announcement "Congratulations, you've been infected!" before taking over their machines or worked silently in the background seeding the PC with spyware and adware.

The threat presented by the WMF vulnerability was perceived by security experts to be so severe that the SANS Institute, a security organization that monitors Internet threats, took the unusual step of offering a WMF patch of its own for Windows XP and Windows 2000. Security vendor Eset, also jumped in with a WMF patch of its own.

"In this case, Microsoft is taking too long," said Johannes Ullrich, chief research officer at SANS Institute.

While Microsoft does not bind users to any contractual limitation on using third-party patches, the company urged users to wait for its official patch.

The issue only got more complex when Microsoft mistakenly released a not-fully-tested version of the WMF patch, then telling customers to "disregard the postings."

In its statement, Microsoft said its "development and testing teams have put forth a considerable effort to address this issue..."

Corporate users running Windows Server Update Services will receive the update automatically. Microsoft said the update is supported by Microsoft Baseline Security Analyzer 2.0, Systems Management Server, and Software Update Services. Corporate users also can manually download the patch from here.

Consumers who use Automatic Updates will receive the update automatically. Users also can manually download the update from Microsoft Update or Windows Update.

Consumers can get more information at http://www.microsoft.com/athome/security.

Microsoft said it will continue to monitor attack data, but said its research so far indicates that exploits are limited and can be blocked using anti-virus software or workarounds.

Join the newsletter!

Error: Please check your email address.

More about MicrosoftSANS InstituteThe SANS Institute

Show Comments

Market Place