Computerworld - A pre-release version of a Microsoft Corp. patch being developed to fix the recently disclosed Windows Metafile (WMF) flaw was "briefly and inadvertently" posted on a security Web site, the company confirmed this morning.
A spokeswoman for Microsoft refused to give further details on what exactly happened or on what site the pre-release patch was posted. But in a brief update to an earlier advisory on the WMF flaw, Microsoft noted that posting of the beta patch on the Internet has resulted in "some discussion and pointers on subsequent sites to the pre-release update."
"Microsoft recommends that customers disregard the postings," the company said.
The latest development comes as users and analysts appear to be divided on whether it's a good idea to install an already available third-party patch to fix the Windows WMF vulnerability or to wait for Microsoft Corp.'s official fix, which isn't slated to be released until Jan. 10.
The unofficial patch -- developed by Belgian programmer Ilfak Guilfanov -- works by disabling a DLL in Windows and has been available for download on Guilfanov's Web site at Hexblog.com for the past few days.
The influential SANS Internet Storm Center (ISC)) and security vendor F-Secure Corp. are among the organizations that have been advising users to download Guilfanov's patch to mitigate the risk caused by the WMF flaw rather than waiting for Microsoft's patch. SANS has made the patch available for download on its Web site and says that more than 120,000 downloads have already been made. F-Secure is another company that says it has tested and audited the patch, and is recommending that users download it to protect themselves against WMF exploits. "We're running it on all of our own Windows machines," the company said in a blog on its Web site.
This is the first time that SANS has recommended such a course of action and it underscores the severity of the risk posed to companies by the WMF flaw, said Johannes Ullrich, chief technology officer at the Bethesda, Md.-based ISC.
Even though Microsoft has suggested several work-arounds for the problem, "there is no effective mitigation against this vulnerability," Ullrich said. "It is not like you can disable a function or close a service to protect yourself" without a patch, Ullrich said.
What makes matters worse is that exploits for this vulnerability now exist, as are hacker tools designed to help such exploits sneak past anti-virus and other intrusion prevention defenses, he said. "It's a threat that's real and is being exploited, and there is
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
