Microsoft Patches WMF Flaw Early

Facing customer complaints, and users going to unofficial patches for the answer, Microsoft fixes a critical flaw five days early.

By Jim Wagner | Posted Jan 5, 2006
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

If enough people complain, even software giants like Microsoft will heed their call.

That's the takeaway from Redmond's advisory today saying it would patch a critical vulnerability in Windows metafile (WMF) today, earlier than it had planned.

The latest patch comes after a critical vulnerability in the Windows metafile (WMF) was discovered last week by security experts, one that could potentially open up a user's computer to remote exploitation and make changes to the system.

Originally, the company had intended to release the patch next week during its regularly scheduled Patch Tuesday security vulnerability update.

But Microsoft said today it had moved the timetable up because it finished up tests early on the patch, as well as a way to respond "to strong customer sentiment that the release should be made available as soon as possible," according to the advisory.

The security patch and details can be found here.

Since the vulnerability was first discovered, some Microsoft customers were downloading unofficial patches from third-party organizations while they awaited an official patch.

IDA Pro author Ilfak Guilfanov posted a hotfix on his blog, while ESET and patch management vendor Patchlink released interim patches today. Third-party patches can sometimes spell trouble of a different sort for customers in terms of software incompatibility issues.

In the case of Guilfanov's patch, a fix for the WMF flaw was in high demand with computer owners. He wrote on his blog that the hotfix page needed to be stripped to the bare minimum because of the "incredibly high load" the page has experienced since the hotfix was publicized.

But downloading and installing installing patches on computers could have the unintended consequence of dealing damage to software applications.

"McAfee does not endorse, at this time, third-party patches," said Craig Schmugar, virus research manager at the security company's Anti-Virus Emergency Response Team (AVERT), despite seeing evidence of widespread infection of the WMF exploit since releasing an anti-virus definition 12 hours after discovery.

In a week's time, he said, the particular signature ascribed to the WMF exploit was detected on 156,000 computers.

The reason, Schmugar said, is compatibility and quality assurance, reasoning backed up by Microsoft. In its security advisory published last week, Microsoft officials cautioned users against installing third-party patches, citing possible compatibility issues.

"As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software," the advisory states. "With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft's security updates are offered in 23 languages for all affected versions of the software simultaneously. Microsoft cannot provide similar assurance for independent third party security updates."

Sometimes, however, drastic measures such as installing an unofficial patch are necessary. Tom Liston of the SAN Security Institute's Internet Storm Center Web site called the WMF vulnerability "very, very bad" and said users cannot wait for the official patch from Microsoft.

Dean Turner, senior manager for security response at Symantec, wouldn't come out and recommend users against installing unofficial patches, but warned network administrators to use caution.

"At the end of the day organizations need to be very careful about deploying patches of any kind, unofficial or otherwise," he said. "I would recommend that if people are going to install a patch that they test it beforehand."

He did recommend administrators apply Microsoft's official patch as soon as possible.

Patchlink sent e-mails to customers this morning with several different courses of action its customers can take to address the WMF vulnerability.

According to Chris Andrew, Patchlink vice president of security technologies, the company wanted to provide several options for its customers, who could then pick the method they wanted to take. The company, like many security vendors, has also released workarounds to close down some of the avenues of attack the WMF exploit might make.

"This is a very new development that customers need to be aware of and need to look at," he said.

Article courtesy of internetnews.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter