Windows - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Windows


Microsoft to Rush WMF Patch



 By: eWEEK
2006-01-09
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Windows story.


Rate This Article:
Poor Best
Software maker testing fix for critical Windows hole.

Microsoft Corp. said last week that it plans to release a fix for a critical and previously unknown security vulnerability in a Windows component used to render Windows Meta File graphics files.

The Redmond, Wash., software maker is rushing to test a patch for a so-called zero-day hole after learning of it on Dec. 27 and plans to release it with the companys regularly scheduled January security patches on Jan. 10, according to a company statement. However, with malicious hackers already using the vulnerability to launch Web-based attacks and take control of vulnerable systems, IT administrators were left scratching their heads after Microsoft slapped a "buyer beware" tag on a third-party patch for the WMF flaw.

The news from Microsoft followed more than a week of fevered reports about the flaw, which exists in a common Windows component that is used for handling WMF files. The vulnerable component can be found in almost every version of Windows, and exploit code to trigger the security hole can be embedded in Web page graphics and then triggered by unsuspecting Web surfers, according to security company Secunia, of Copenhagen, Denmark.

Resource Library:

An unofficial hotfix from reverse-engineering guru Ilfak Guilfanov disables a Windows DLL and can protect vulnerable systems from attack. The workaround was tested and approved for use by many security experts, but Microsoft says it cannot vouch for the quality of the fix.

"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006," company officials said in an updated advisory.

Without a full test, its impossible for Microsoft to know what effect the third-party change might have on applications mandated in regulated industries or in-house applications. In the meantime, customers should use safe browsing practices and update their anti-virus software to protect against WMF attacks, the company said.

However, last-minute glitches in the patch testing process could still delay the update.

Jesper Johansson, a senior security strategist in the Security Business and Technology Unit at Microsoft, said a decision to use an unofficial patch should be driven by risk management. "If you have extremely high security requirements, you may want to go so far as using something as drastic as an unofficial patch. However, in that situation, you are probably not willing to trust a third-party packaged patch anyway," Johansson said.

At Principal Financial Services Inc., in Des Moines, Iowa, IT administrators have been following the WMF story closely but feel confident that their systems are adequately protected, said Corey Null, a member of the information services team at Principal. Principal has blocked WMF attachments in e-mail messages for "years" and is using vulnerability scanners to spot Web-based attacks that use the WMF exploit code, Null said.

"I think the level of concern is appropriate. ... Its not like people are running around with their hair on fire," Null said.

Privately, Microsoft officials are furious that the issue was overblown, especially in the mainstream media, where the WMF exploit is being compared to debilitating network worms such as Blaster and Sasser.

Quick facts on the WMF security hole

  • What is vulnerable? Windows XP Service Pack 1 and SP2, Windows Server 2003 (all versions), Windows 98 and 98 SE, Windows 2000 Server, and Windows ME
  • How does it work? A vulnerability in the way Windows renders WMF image files could allow arbitrary malicious code to be run, allowing an attacker to take control of a Windows system
  • Is exploit code available? Yes, exploit code has been available on public Internet sites for more than a week
  • Is a patch available? Yes and no; Microsoft has not issued a patch, but there is an unofficial patch available online



      Reader Comments: Microsoft to Rush WMF Patch
    >>> Be the FIRST to comment on this article!
     

     
     
    >>> More Windows Articles          >>> More By eWEEK
     


    • xks6(9@>x)%XZNRQ$$1H-IVrO<_: 7]hɗwߙĶKht7F;> IMkmJ9;D{{}!Ї}oS/92t=z#m)>M3ة 5w5Gl&r At=NN5%j'A]k|c{F}_2z5o0 fE1;F6IM9JD=֥E!mG$,oQX|:[S=,2tĩ-}!*Ka>$E%U5EhDԸ#|x\'gώ>0{/<Pcw̪Ҵ/v[P;Eyah -\r.",ѽ[@M*6 D=iTV,w2*-&{1ҡk)e 5\`r*jHZ6tG,> H>`7sIzV@h ɠæ&q/!)$fʀ [8QKjF=Ķ|hG'tqr_׽Yoסn܎=wd&A0[b#6fJۆؼ?0}$"9ˡ,ft簢eȆ}{RM*QR,הbYT[,\Yp?/.iR.W9(֝[pnKVj0u=yظ}  ?Vb}" @D%\.I"0i5&ttXOB^$> xZԊhGZAArIja̳|3-i*5$v*?ZZu"uuX&ZhCA+@t׬?#;ˠzqsvz|qӾOZ=$/#t: +?;V'_W[Uկ7#>扷kaj;dPp9LwjTH ?vO_Zd@Odp"˧S~tǷPZ,.s$dBrZ~@X*V Q3of5 x[&%4ɔcPu t:9CsfZ[c*҄& )B!aJ 0sns'@̀kfPXD`4R 9lb vfy;M)IK2_VJ-ɿEh+dԌө$ɛ!"ˆG9xW,ʹc䁉1SUҽT7ws iغT49;?]/7+De,Ⱥ 35-wnzˬ;\g8k5[wսuS5?`EbyƆƇKEHY7-wI0QI}{Qkh,VPQoa G'&-dȠq86ayƄIG?{yL>(NR'}:;)5>'>D#ʠ:괱{\V4@!>F&Ma㻣^h>[ m= sX¤>$֔zNJ$>6ZЉ\χc˖CB뎂:{׻ښB<(Q5ݻCiy1զπCρYzC23t~[>lPs0 q0yzOEȣ$@!"5i]NP@Br68 -4rr>zZ*&RP*m{A XXԪY*X[ 3D2nP\-Ōҵә;ʦwZSv˦Կ~Fl4]Z#֭CVapD30۠,e/6!&]1W=XaT5"16D ȸaw-CePS? !ܔv R6S֩;lSf||tݱM% U<{ Qքa'M}tyy~V>Ҁ!as`Ez . ڀ H }"T0|*UTˈ`maS@@khSUt Փ.E^~~ Z K i?aGzԘ{h}Qɐ Q1gxWyd.>3IR-ʪZJkVv2L:k}\WJZP+{>󂠬8[D ZDň i{<qŁj )Ӛ 4s;N`kԑ 欭+4stJ(ͤVB)EeTedUJC<ϤUNxT)HW,|ˀ'dyM?tUJ|,T̩,BtXκV}|4O?{Z ƆAp7xj=3cݸXvLwASB9^-)(3sMl7b ڵ u*%\.Yi R=cx3e}tV?nHCos 车TaDU5}d5O?6!VɵFZV?&I\TPY\|U7MBR%%!^ͳ!ӂk-90B[0q6R3ڛ=^,@N|K!ZOkX~4wI#y/Ɨ!hs{g OL2zf3z%MMhh^n@,cf^eDI*M&lԆuXztS6neUkVB gI@= c8=.]E^h2)n*)ۙjFMY@j# wOkʁn*l>EM+t׀m+J9wWGc&3t@ 2ɢ\' WeRU@o8J3AJ j ;!q[6xD ?=a?q-49IkԈ3x0O /V(YqALohqNL w>C(1AcE6 k{J~Zg^t= lvD2m{?RXnڧCR1Y/5;/x;Ȅuuo_u{~{y[QAZ=kq /*}Uj_qHJG6-|~<ڝtȾYM $ȅ XCfO"yzھ(]:laE:p0\!9аqvNcR|I{ѽE%%{wD's=BAH͋CzW!zN.ZnfS L k;d8)0'hdjm\8$Ø/=P‴ !寎{}ںĂ.K^ל$"j\N3$nX,ʆqq ;coMw~mXLXoH=(_aHH]T diwu]N αf_ B@npkz!NU e,$+e3ғ2MNMNx{| Mr /Uщk =^ 4~ y*~y:~_dxD ǻBٰGg15\6IϤ{q@H E \8/wIB88e(n1~xA\~n]eԉ(%T \ '?m[ė{,/=;SL&#U([4wiay-mrdJ1%SBeޞ,Hy=Yi@ybZӽK3Bvmc%1fcg[U c KQk I"\) -|8SB[,>kI)jݷɪ\؅^\Ap0R`0"!9ϫ|1}~YU*;N H1@g?KظN*4b9l_빿AݞnaeѼ̱?nw{f ~{OjКS}AxDucBA95Zѧ~t ޶a ~UjsŽ&n eV@,pH.s8ti\vyo]9ar܂#AIՂ3QG>j S>O4wX\/f9!-[wzF]Yfg_ 'kA}i^w7t,LUzy@ XJ}~l/It:Djy[aG{CWȪ̙S.{ۋ.W#Sv`q9-&nu@oǥ7DLZ?GkoDL;*pctOxZ~D Rfm]Ni j.ǎs$gr0G $T8h |nwkLlll4RbШ,r9٦pr[mP\9>m` ܭ'p=xnV،̃uYW ZL45+dZ7tG>sf>T:cB:Sk 7կ#R=G@"X>ZuǑjȺO\_TE-)59#&5N.n")\S9X 3z0Zx瓜Zc+*jNr^/)mVpK]9_̨'}>lKzvo),,AdP[C7A G{ s-YorSqIћc%s3 0sjK9 v'V'm7侏$u'H~P0n!RD.aBd5=Dc2Pq :q )/ \;]1(Vp#'K`[Q̩0U?ZgYE\T_'bc05qYGLДIUI?xzGU]V{IܒtJ,ۆO)Z-dndKf_2ԍ"yc +;]4K_0hdM00\nS/X@3*JkC .Mbrp%tVXgOԮW2ܼII#~a$gX 8GNNT'|A=ݩkbnV ěǽJX mVؖP*`2;AQm&Y&g[z [)%3n0Zxu헕R)>~˦7cChS}&ե2̲Z^Z)?LB ,VybzUF]VX?- YFV 11J=wZu3YH_ܹRn.c*@VVnըCG`  $t}vI5CD;E;Jx={A5^֖tŏgmy9)c'OsoEDBHWE0ѾQܓ0"a7v% iJ{CDHJ ѭKs'R'KjA-7RM€3-/p> /t{#D ||5 bK|S\O EHD^eC]jfx;m 4Q`?7 9FfbwH Wz`S:M U7m ƠtE:ns͵p9氈E8,"`6ӯ$K^E <+'Uے*&"@OS,7ۮCt5wVL`SV$#T>aߪ~зrc뢛l%uuuu-YV}h/k^@1=iv6o+g]WwkmܫZ ƪ}`7"iTJZ) (=ş-xz7y))lyfL?ŧTȄ4_|YrO|k N")vۗ@ӚC-`$;15㥙m[A˽?V4 mY[`cX4gEq{O`Ymsm-6,ѩ{GW‡eX -]_֝ϖUt:yG©وj:!TJE:`ѿ/,KX)c<r64 h`P3DWГ 5>FKjΝkj+~)y_ڋK۪_xأAe^tH OT 'U># l1E+lZgj w .P4A_>ƛ>2zEo~x+˴4nA 83.NdCҏ"ruvhT_ ӺjZt(O4s όb1{nCŽ[?_܎D,z/, 3,K?#"̿զQ04 :6M=ez@~RJ~/zׄ`MgNp^I:ТCxbu~Mpq-FQ q2{/@=w E)=Vp0bݵ#g𡝊ZGKD.Xm'V8΅ {)94i[> 4>(CZPBZ’M=Is9ꚒrI|l @`j '"l\M!8AXJrܘE Pa ye%ǸPFPxAҼ20`S,^𡪐J711ǜSgCRSs.}KRG(VzdqK<// #|Й>&>-E(([3HQ&|٢JTH4i`o?bTy ޣg5ԈGbv XPa{v̈́vzW\AO[jKwDP֝uȨPcC.*, =,u -쉢jc/@VR˰0-|ri;.RusG"1gj䫅Jiգz| UMhբ* ܧsC0]vݱ|y`ǚ""QGl;TҊj95 4n6[&Fb؈>PP*(Zz;-K|k1m^awv鮦C/ѽ_3B;sBՋG^n/9R#=AfYrRfϗp ʹG[RJYIvi~Xev7 tAuGw,@8S=рHz3jX:.>#V̯mR߃q>k[Q{ZwŒ\>fF+5mFASW1h=U1D@#  Ĉ[ bV&w 3A@:-u@$y2vAf.B0 %!Vf\nz~uC +@uo7za: Ǎpi})48! ȅLޝ!:\˘Z8кd>rK/~m#kN1HSvMZ֨n~)5qX cpTpԪd5B&(qik8<|wV4Ÿ&, @אI`lgZ #BLk43D@Ec^r {VĄ㐷> A"۾blUo%P`qT83njsc;G7g;ΥIFZ||N]ƒ $BqнӜhV!oXe2}xИ1RU+J)L Uꪂ 2l=VR"v<>'A~guEp HD+^@;:}Gfڟ4\yuuuI]Zwrݾ귻uѽX֚_ԝ闓՗e}5;%|j5ۼ6/ ˙͓^9lvZLOSʩ`Sg̥,% E*w"E.Z'}ҽlJk%ꋲ Nj_ _!׌kȿޜJmfw!ߜ 88me@3Y~>B?f'9k7OsiF>?ϴ/35~e//E1?'cɂdd"3>;d'e/?Cs?-#|ˌKˌBfȟ.ȗn|ʠ+Q:~z0^{0^@ 9ק a|397{A7MF7@7\$)cf5pvJEs_53TyU[˳gȳ;F7^˰sk=ce_/ˀ/q>\J}u=M+ƥw*WY[xM}-kk[F1n6d b 5Ru(X2M*!+(,8%]}fMNJ 44k 7b]YDYAI{R}ntE I>4qLvw,o,lcENj9&yQgΒ'8VɴV !,Eނl>܃fcp2 #GYȘkOV/3i˘ЈwS; =yq&9. ۍ䳂9<#pҚ]lsفGj5OKWYn- ǡ8[ =|oC/+Oxguv>XBAi]_6/W͏-̧d닠iP,P !F7@jd2 yr҇9Sh ;wMm=SE Nz.{41{zöwNrP*5VZ*{_5"p = G1vQ5YUdJ*'jeV*V&K h[qRbo視7 y8an%[z^"z%^>FG>u_Q, eaSKp$vŐb0}3OOcoy=s]tYN 4g_ܹ?|NeFIw1ӐMX%%lEݨ"ۖC]']^ƞL͡;O,D~f&gMcBݡ>W&R g)b|+S}&Ճoϒ0 E/^CJ,6 kQ{Ϲerń#2O 5U"zwB.n%ǚl~KFsг055]^ L~I=F"I)ӅV,.`}|dn:tzqcYWIHxLˆk)+| @'@0~PZ>r {Sv3&oF"g}#oavaw|1'Q:༓+ SDNq?i"r]6M b ه%?13`SǮ59Dp#dO7<6>IL’Be Im/@{ SN'6Y`_GBbЗ ;:3U^6 aXzt>]&ѠGbFdoN[a&m_1S&g}Ez=~P2L6G1 (T(z ̸>ΐ\(M9cњu8:\5m$=IKh4[5b8gKbaDmz 0\"gzܤ;Kun 3&R,HI`BOq/Chyaz69"Pg2D~kJ=&*P=eZO] n,8^ ϒ֒Ǎֶ >=v|"eI.~=MT~7)H%WbF8]x "!_Ra§oi.y>ⶁ!} 3 q:iwasD:>yePޙ!/;vcS)GNJph)hFxy?Y u+ 1ml.n; ;C:bd:vΣ@\U Cr 恜0њSWGQ:ۓm|?/e{:з57d(P|ӽE^gʍt/Ast2c43@FC0!i}"sEt䐲%(Xp^'A6z"0lB _pc!*m^x[9Na]|ۺkAў(Xnw|h[d-+G!ЮT)v"ʕ.Slܞ=Cڗa҃f_X ( Lw^t|8N]=PŃGHƸ[[ q~6`;Ш1DLMv)E9btD]T) ʢ6M 9ߵ3q߼,ۿvy\F0g3# cgb@xO=_qxF|,ؙ9uOR6Ȥ{ mPCdk=R+Eq sX ǼVwWRڱ!;/D?8@ c, ;fcJ ,oԛŠ'TS*a#o *;AN7Wm S$ˉ;[S'>ZYˆBd'KUܵѩh^٢C><|g`)nԈ #Ay,O~у!gn耵gl,C' SƅW5dPOYTc.GfT{ LW{څ$hxb < nBh1  b'kI'R$la$rR3 'ET z.t3^\/4yv{ϼ󡟼0SS2wħ$Y?w@ Ogr|A>&:A0X+9 ^EkM`.g˾t/rJzgͳFk+,O{(F8x?\}ҽ^`֍[{Goy6xT꟭eUUN$7Mѓec.޳มL셫Qbm٦dUi29Z}) q̓֫4>(1vlƝl n!%56|G\k EWZ\!׺)