Update: Microsoft patch for WMF flaw to be released Jan. 10

IDG News Service - Microsoft Corp. said today that it does not plan to release a fix for the Windows Metafile (WMF) flaw until Jan. 10, when a patch will be included as part of the company's scheduled monthly updates for January.

Microsoft has completed development of a patch for the flaw and is now testing it for quality and application compatibility, the company said in an advisory updating an earlier advisory released last week.

The update will be available at Microsoft's Download Center in 23 languages for all affected versions of the Windows operating system.

"Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement," the company said in its statement. " Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."

Corporate IT departments should do a risk assessment before deciding whether to wait for the official patch or not, officials at SANS Institute's Internet Storm Center (ISC) said in a note this morning. "What would be the cost to your company if you are compromised between now and January 10 if the update is released as mentioned?" the note said in direct language.

"Can you really afford to do nothing? Are you willing to gamble that unregistering the dll is sufficient or do you go with defense in depth and apply the unofficial patch? You make the choice," ISC officials said.

Yesterday, security researchers at the ISC urged Windows users to install an unofficial security patch now and not wait for Microsoft to make its move.

Their recommendation followed a new wave of attacks on a flaw in the way Windows 98 through XP versions of the operating system handle malicious files in the WMF format. One such attack arrives in an e-mail message titled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file, said security research companies including iDefense Inc. and F-Secure Corp. (see "Risk of Windows WMF attacks jumps 'significantly,' security firm warns").

Even though the file is labeled as a JPEG, Windows recognizes the content as a WMF and attempts to execute the code it contains.

Microsoft said in an advisory last week that to exploit a WMF vulnerability by e-mail, "customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability."