Microsoft says 'Wait for us' as WMF threat climbs
It does not plan to release a patch until Jan. 10
IDG News Service - While some security researchers are advising Windows users to rush to install an unofficial patch to fix a vulnerability in how the operating system renders graphics files, Microsoft Corp. wants customers to wait another week for its official security update.
The problem is in the way various versions of Windows handle graphics in the Windows Metafile format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. Microsoft published its first security advisory on Dec. 28, saying it had received notification of the problem on Dec. 27 and was investigating whether a patch was necessary.
Today, Microsoft updated the advisory to say it has completed development of its own patch and is now testing it for release next week.
"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on Jan. 10, 2006," said the advisory.
The company said it carefully reviews and tests its security updates and offers them in 23 languages for all affected versions of its software simultaneously. Microsoft "cannot provide similar assurance for independent third-party security updates," it said.
The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability, but the number actually affected so far is relatively low, researchers say.
Staff at McAfee Inc.'s Avert security research lab report that 7.45% of users of the company's retail security products were found to have computers infected with malicious programs through the WMF exploit as of today. That's up from 6% of users on Saturday.
The chance of running into a malicious WMF file is climbing, and with it the danger of running an unpatched system (see "Risk of Windows WMF attacks jumps 'significantly,' security firm warns"). Already, one security Web site has had to warn visitors to stay away: The owners of the knoppix-std.org site warned in a forum posting that hackers had modified the site in an attempt to exploit the vulnerability on site visitors' machines.
There is "a lot of potential risk" associated with the vulnerability, according to Jay Heiser, a research vice president at Gartner Inc. and the company's lead analyst on information security issues.
"If it can be exploited in any significant way, it would be an extremely big risk," he said. "It's a race between Microsoft and the exploit community."
The bad guys had a head start in that race. Security researchers at Websense Inc. first spotted malicious Web sites using the exploit on Dec. 27, but those sites may have been doing so as early
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts