Microsoft says 'Wait for us' as WMF threat climbs
It does not plan to release a patch until Jan. 10
IDG News Service - While some security researchers are advising Windows users to rush to install an unofficial patch to fix a vulnerability in how the operating system renders graphics files, Microsoft Corp. wants customers to wait another week for its official security update.
The problem is in the way various versions of Windows handle graphics in the Windows Metafile format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. Microsoft published its first security advisory on Dec. 28, saying it had received notification of the problem on Dec. 27 and was investigating whether a patch was necessary.
Today, Microsoft updated the advisory to say it has completed development of its own patch and is now testing it for release next week.
"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on Jan. 10, 2006," said the advisory.
The company said it carefully reviews and tests its security updates and offers them in 23 languages for all affected versions of its software simultaneously. Microsoft "cannot provide similar assurance for independent third-party security updates," it said.
The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability, but the number actually affected so far is relatively low, researchers say.
Staff at McAfee Inc.'s Avert security research lab report that 7.45% of users of the company's retail security products were found to have computers infected with malicious programs through the WMF exploit as of today. That's up from 6% of users on Saturday.
The chance of running into a malicious WMF file is climbing, and with it the danger of running an unpatched system (see "Risk of Windows WMF attacks jumps 'significantly,' security firm warns"). Already, one security Web site has had to warn visitors to stay away: The owners of the knoppix-std.org site warned in a forum posting that hackers had modified the site in an attempt to exploit the vulnerability on site visitors' machines.
There is "a lot of potential risk" associated with the vulnerability, according to Jay Heiser, a research vice president at Gartner Inc. and the company's lead analyst on information security issues.
"If it can be exploited in any significant way, it would be an extremely big risk," he said. "It's a race between Microsoft and the exploit community."
The bad guys had a head start in that race. Security researchers at Websense Inc. first spotted malicious Web sites using the exploit on Dec. 27, but those sites may have been doing so as early
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Malware and Vulnerabilities White Papers | Webcasts