Microsoft to Rush WMF Patch

Software maker testing fix for critical Windows hole.

Microsoft Corp. said last week that it plans to release a fix for a critical and previously unknown security vulnerability in a Windows component used to render Windows Meta File graphics files.

The Redmond, Wash., software maker is rushing to test a patch for a so-called zero-day hole after learning of it on Dec. 27 and plans to release it with the companys regularly scheduled January security patches on Jan. 10, according to a company statement. However, with malicious hackers already using the vulnerability to launch Web-based attacks and take control of vulnerable systems, IT administrators were left scratching their heads after Microsoft slapped a "buyer beware" tag on a third-party patch for the WMF flaw.

The news from Microsoft followed more than a week of fevered reports about the flaw, which exists in a common Windows component that is used for handling WMF files. The vulnerable component can be found in almost every version of Windows, and exploit code to trigger the security hole can be embedded in Web page graphics and then triggered by unsuspecting Web surfers, according to security company Secunia, of Copenhagen, Denmark.

An unofficial hotfix from reverse-engineering guru Ilfak Guilfanov disables a Windows DLL and can protect vulnerable systems from attack. The workaround was tested and approved for use by many security experts, but Microsoft says it cannot vouch for the quality of the fix.

"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006," company officials said in an updated advisory.

Without a full test, its impossible for Microsoft to know what effect the third-party change might have on applications mandated in regulated industries or in-house applications. In the meantime, customers should use safe browsing practices and update their anti-virus software to protect against WMF attacks, the company said.

However, last-minute glitches in the patch testing process could still delay the update.

Jesper Johansson, a senior security strategist in the Security Business and Technology Unit at Microsoft, said a decision to use an unofficial patch should be driven by risk management. "If you have extremely high security requirements, you may want to go so far as using something as drastic as an unofficial patch. However, in that situation, you are probably not willing to trust a third-party packaged patch anyway," Johansson said.

At Principal Financial Services Inc., in Des Moines, Iowa, IT administrators have been following the WMF story closely but feel confident that their systems are adequately protected, said Corey Null, a member of the information services team at Principal. Principal has blocked WMF attachments in e-mail messages for "years" and is using vulnerability scanners to spot Web-based attacks that use the WMF exploit code, Null said.

"I think the level of concern is appropriate. ... Its not like people are running around with their hair on fire," Null said.

Privately, Microsoft officials are furious that the issue was overblown, especially in the mainstream media, where the WMF exploit is being compared to debilitating network worms such as Blaster and Sasser.

Quick facts on the WMF security hole

  • What is vulnerable? Windows XP Service Pack 1 and SP2, Windows Server 2003 (all versions), Windows 98 and 98 SE, Windows 2000 Server, and Windows ME
  • How does it work? A vulnerability in the way Windows renders WMF image files could allow arbitrary malicious code to be run, allowing an attacker to take control of a Windows system
  • Is exploit code available? Yes, exploit code has been available on public Internet sites for more than a week
  • Is a patch available? Yes and no; Microsoft has not issued a patch, but there is an unofficial patch available online