Microsoft says 'Wait for us' as WMF threat climbs
It does not plan to release a patch until Jan. 10
IDG News Service - While some security researchers are advising Windows users to rush to install an unofficial patch to fix a vulnerability in how the operating system renders graphics files, Microsoft Corp. wants customers to wait another week for its official security update.
The problem is in the way various versions of Windows handle graphics in the Windows Metafile format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. Microsoft published its first security advisory on Dec. 28, saying it had received notification of the problem on Dec. 27 and was investigating whether a patch was necessary.
Today, Microsoft updated the advisory to say it has completed development of its own patch and is now testing it for release next week.
"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on Jan. 10, 2006," said the advisory.
The company said it carefully reviews and tests its security updates and offers them in 23 languages for all affected versions of its software simultaneously. Microsoft "cannot provide similar assurance for independent third-party security updates," it said.
The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability, but the number actually affected so far is relatively low, researchers say.
Staff at McAfee Inc.'s Avert security research lab report that 7.45% of users of the company's retail security products were found to have computers infected with malicious programs through the WMF exploit as of today. That's up from 6% of users on Saturday.
The chance of running into a malicious WMF file is climbing, and with it the danger of running an unpatched system (see "Risk of Windows WMF attacks jumps 'significantly,' security firm warns"). Already, one security Web site has had to warn visitors to stay away: The owners of the knoppix-std.org site warned in a forum posting that hackers had modified the site in an attempt to exploit the vulnerability on site visitors' machines.
There is "a lot of potential risk" associated with the vulnerability, according to Jay Heiser, a research vice president at Gartner Inc. and the company's lead analyst on information security issues.
"If it can be exploited in any significant way, it would be an extremely big risk," he said. "It's a race between Microsoft and the exploit community."
The bad guys had a head start in that race. Security researchers at Websense Inc. first spotted malicious Web sites using the exploit on Dec. 27, but those sites may have been doing so as early
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts