Microsoft Back in WMF Hot Seat

Releases fix ahead of schedule; questions raised about company's handling of process.

Microsoft Corp. late last week changed course and released a patch for a critical hole in Windows five days before its scheduled release date.

The company cited faster-than-expected testing and intense customer demand for one of the fastest patch releases in its history. But Microsofts handling of the release of a patch for a vulnerability in a Windows component for rendering WMF (Windows Metafile) images put the company back in the hot seat, rekindling issues Microsoft thought it had put behind it long ago.

Microsoft, of Redmond, Wash., initially said it would release a patch for the WMF hole with its regularly scheduled Jan. 10 security updates but began distributing the patch on Jan. 5, shortly after testing of the patch was complete.

The "out of band" patch came as evidence mounted last week that attacks and successful exploits using the WMF flaw were spreading, including an explosion of images using variations of the WMF attack and an automated tool, WMFMaker, that makes it easy to create attack images.

At The SANS Institutes Internet Storm Center, in Bethesda, Md., incident handlers collected more than 200 unique WMF exploits early last week, which were forwarded to Microsoft, according to Chief Technology Officer Johannes Ullrich.

Employees at SecureWorks Inc., of Atlanta, recorded a big increase in WMF attacks last week over the previous week. More than 100 of the companys clients, many of them banking and finance companies, were being targeted by approximately 137 attackers as of Jan. 4, compared with just six clients and 24 attackers the week before. The company recorded more than 3,733 attacks by the evening of Jan. 4, according to information provided by SecureWorks.

Still, Microsoft maintained that its out-of-band patch was a response to customer demand, rather than a changing threat landscape. WMF attacks are declining, not spreading, according to Debby Fry Wilson, a director at the Microsoft Security Response Center.

Fry Wilson cited internal data at Microsoft and reports from anti-virus vendors. "Infection rates are consistently low to moderate," and declining, she said.

Researchers at McAfee Inc.s AVERT (Anti-Virus Emergency Response Team) labs didnt see declines in WMF exploits, but they said they held steady in the first week after the exploit code was released.

However short, Microsofts delay in releasing a fix prompted virtual scrums around unofficial patches, such as that released by independent developer Ilfak Guilfanov.

PatchLink Corp. said last week that it would offer Guilfanovs patch to its customers. The company does not typically circulate unofficial patches for operating system vulnerabilities but said that the specifics of the WMF exploit demanded action, according to Chris Andrew, vice president of security technology at PatchLink, of Scottsdale, Ariz.

"Youre talking about hundreds of millions of computers with no patch ... [and] the result of the WMF exploit could be catastrophic," Andrew said.

Microsofts response to the WMF threat threw a shadow over the companys patch production and distribution process. Most experts agree that Microsoft has improved that process in recent years, and they recall days when experts pilloried the company for its slow response to threats and outbreaks.

"The whole thing frustrates me, period," said Donna Pfeil, network security officer at ShoreBank Corp., a community bank in Chicago.

"Id like to see a bit more of a proactive response and earnest effort," Pfeil said. Still, Pfeil said she would be very wary of deploying anything at ShoreBank short of a thoroughly vetted patch from Microsoft.

Pick a patch

Unofficial WMF fixes

* Ilfak Guilfanovs hotfix modifies the Windows gdi32.dll, which contains the vulnerable code

* Paolo Montis WMF patch uses dynamic API hooks to intercept the Escape gdi32.dll API and filter out the function, SetAbortProc, used in WMF exploits

* Microsofts workaround disables shimgvw.dll, a Windows component used by the Windows Picture and Fax Viewer on Windows XP and Windows Server 2003 systems