Microsoft says 'Wait for us' as WMF threat climbs
It does not plan to release a patch until Jan. 10
January 3, 2006 12:00 PM ETIDG News Service -
While some security researchers are advising Windows users to rush to install an unofficial patch to fix a vulnerability in how the operating system renders graphics files, Microsoft Corp. wants customers to wait another week for its official security update.
The problem is in the way various versions of Windows handle graphics in the Windows Metafile format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. Microsoft published its first security advisory on Dec. 28, saying it had received notification of the problem on Dec. 27 and was investigating whether a patch was necessary.
Today, Microsoft updated the advisory to say it has completed development of its own patch and is now testing it for release next week.
"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on Jan. 10, 2006," said the advisory.
The company said it carefully reviews and tests its security updates and offers them in 23 languages for all affected versions of its software simultaneously. Microsoft "cannot provide similar assurance for independent third-party security updates," it said.
The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability, but the number actually affected so far is relatively low, researchers say.
Staff at McAfee Inc.'s Avert security research lab report that 7.45% of users of the company's retail security products were found to have computers infected with malicious programs through the WMF exploit as of today. That's up from 6% of users on Saturday.
The chance of running into a malicious WMF file is climbing, and with it the danger of running an unpatched system (see "Risk of Windows WMF attacks jumps 'significantly,' security firm warns"). Already, one security Web site has had to warn visitors to stay away: The owners of the knoppix-std.org site warned in a forum posting that hackers had modified the site in an attempt to exploit the vulnerability on site visitors' machines.
There is "a lot of potential risk" associated with the vulnerability, according to Jay Heiser, a research vice president at Gartner Inc. and the company's lead analyst on information security issues.
"If it can be exploited in any significant way, it would be an extremely big risk," he said. "It's a race between Microsoft and the exploit community."
The bad guys had a head start in that race. Security researchers at Websense Inc. first spotted malicious Web sites using the exploit on Dec. 27,
Reprinted with permission from
Story copyright 2009 International Data Group. All rights reserved.
Viruses
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Can Heuristic Technology Help Your Company Fight Viruses?
What is Heuristic Technology and how can it help safeguard your business against viruses? Learn more.
Best Practices for Log Monitoring
Watch Now!
US Military Command Prevents Zero Day Attack with Application Whitelisting
Download this Whitepaper Today!
Data in Action: Making the Planet Smarter
Register Now
Employee Web Use and Misuse
Download this new White Paper today!
The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.
Get More from Your IT Budget
Download this new white paper today!
Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!

