Microsoft says 'Wait for us' as WMF threat climbs

IDG News Service - While some security researchers are advising Windows users to rush to install an unofficial patch to fix a vulnerability in how the operating system renders graphics files, Microsoft Corp. wants customers to wait another week for its official security update.

The problem is in the way various versions of Windows handle graphics in the Windows Metafile format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. Microsoft published its first security advisory on Dec. 28, saying it had received notification of the problem on Dec. 27 and was investigating whether a patch was necessary.

Today, Microsoft updated the advisory to say it has completed development of its own patch and is now testing it for release next week.
"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on Jan. 10, 2006," said the advisory.

The company said it carefully reviews and tests its security updates and offers them in 23 languages for all affected versions of its software simultaneously. Microsoft "cannot provide similar assurance for independent third-party security updates," it said.

The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability, but the number actually affected so far is relatively low, researchers say.

Staff at McAfee Inc.'s Avert security research lab report that 7.45% of users of the company's retail security products were found to have computers infected with malicious programs through the WMF exploit as of today. That's up from 6% of users on Saturday.

The chance of running into a malicious WMF file is climbing, and with it the danger of running an unpatched system (see "Risk of Windows WMF attacks jumps 'significantly,' security firm warns"). Already, one security Web site has had to warn visitors to stay away: The owners of the knoppix-std.org site warned in a forum posting that hackers had modified the site in an attempt to exploit the vulnerability on site visitors' machines.


There is "a lot of potential risk" associated with the vulnerability, according to Jay Heiser, a research vice president at Gartner Inc. and the company's lead analyst on information security issues.

"If it can be exploited in any significant way, it would be an extremely big risk," he said. "It's a race between Microsoft and the exploit community."

The bad guys had a head start in that race. Security researchers at Websense Inc. first spotted malicious Web sites using the exploit on Dec. 27,