Another Unofficial WMF Patch Released

Security vendor ESET releases its own fix for the Windows Metafile flaw, but Microsoft again insists customers should be wary of third-party updates.

Another unofficial patch for the Windows Metafile flaw is making the rounds.

Security vendor ESET, makers of the NOD32 anti-virus program, on Wednesday shipped an interim patch for the bug, almost a week before Microsoft Corp. is scheduled to release a properly tested security update.

Rick Moy, vice president of marketing and sales for ESET said the widespread use of Microsofts operating system means that a "very large user base [is] susceptible" to the zero-day vulnerability.

"In order to prevent any propagation of the vulnerability, ESET recommends that organizations take immediate preventative action," Moy said.

The patch is available for free from the ESET home page.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Ilfak Guilfanov, author of IDA Pro and a software engineer widely hailed for his reverse engineering work, has also released a hotfix that is enjoying wide distribution on several security Web sites.

However, officials at the MSRC (Microsoft Security Response Center) has again made it clear that the official Windows update coming on Jan. 10 might not interoperate with untested third-party patches.

"We are not testing our patch against any other patch," said Kevin Kean, operations manager of the MSRC. "Our primary concern is providing a quality patch for millions of customers. We havent spent any time analyzing any other patch to check for interoperability."

/zimages/6/28571.gifClick here to read more about smart WMF remediation.

In an interview with eWEEK, Kean said the update planned for Januarys Patch Tuesday was in effect an "emergency patch" that was turned around in a two-week time frame.

"We view this as an emergency situation. Were pulling out all our resources and literally working 24 hours a day to get this ready. Were repurposing testing resources and grabbing anyone and everyone who can help us bring this to completion as soon as we can," Kean said.

MSRC director Debby Fry Wilson said the company has redeployed internal resources in a frenzied attempt to get the patch ready. In the hubbub, a pre-release version of the patch was accidentally posted online and had to be hurriedly removed.

"That particular piece of code was not tested and is not the version we will release [next] Tuesday," Wilson said.

She also said Microsoft was working closely with law enforcement authorities to disable Web sites distributing the active WMF exploits, and added that the situation has "stabilized" significantly since the first wave of attacks started on Dec. 27.

Wilson also left the door open for an emergency, out-of-cycle patch release if the threat escalates. "If our intelligence changes and indicates that infections are growing and impact is more severe, well go out-of-cycle. Were looking at the data on a minute-to-minute basis to make the right call on that."

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.