Microsoft Responds: WMF Vulnerability

Microsoft responds to eWEEK's coverage of flaws in Windows Metafile Format.

Given the amount of feedback weve received from customers recently about the WMF vulnerability found in Windows, we wanted to provide some context around our response to that vulnerability.

We first learned about the WMF vulnerability and exploit code on Dec. 27. We immediately mobilized our Software Security Incident Response Process and started investigating the reports and working on a security update.

It was essential that the security update be of the highest quality to ensure that customers didnt experience any setbacks during deployment. Creating the update was a straightforward process. The challenge was testing the update on all supported versions of Windows and ensuring that the affected applications were not negatively impacted by the update.

We forecasted that delivering the update would be possible in conjunction with our regular security update release in January. Our customers have told us that they prefer to receive security updates as part of the regular, monthly release process, as this helps them plan for testing and preparation.

We have always said that, if warranted, we would release an update outside the regular release process if it has been thoroughly tested. In this case, the security community was not seeing a high rate of infection. However, our customers told us that theyd rather have the security update then than wait until the regular, monthly release. Based on this feedback and the fact that we had finished testing the security update earlier than expected, we released the update on Jan. 5.

We are very proud of the teams that pulled together to finish this update in a record time of 10 days, from discovery of the vulnerability to when we issued the update. We understand that customers will always need security updates as soon as possible. However, we have to balance that with the amount of work it takes to thoroughly test and deliver a quality update. That is our commitment to our customers.

Debby Fry Wilson
Director of Security Engineering and Communications
Microsoft Security Technology Unit