Microsoft Corp. released a patch for the Windows Metafile (WMF) flaw at 5 p.m. Eastern time today in response to what it described as "strong customer sentiment" for an early fix to the problem.
Enterprise customers who are using Windows Server Update Services will receive the update automatically, the company said in a statement this afternoon. Manual downloads are now available at http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx.
In addition, the update is supported by Microsoft Baseline Security Analyzer 2.0, Systems Management Server and Software Update Services, the company said. Individual users who use Automatic Updates will receive the patch automatically.
"Microsoft will continue to monitor attack data, which has thus far indicated that the attacks exploiting this vulnerability are limited and mitigated by efforts to shut down malicious Web sites and with up-to-date signatures from antivirus solutions," the company said in its statement.
In addition to the patch for the WMF flaw released today, Microsoft will also release a security bulletin detailing updates for flaws in Windows, Exchange and Office products that will be released on Jan 10. The maximum severity rating for the flaws described in these bulletins is critical, the company said in an advance notification released today.
The company will also release an updated version of its malicious-code-removal tool on Tuesday as part of its monthly security updates.
Johannes Ullrich, chief technology officer at the SANS Internet Storm Center (ISC) in Bethesda, Md., said his company has tested the patches and they appear to be working fine.
"It's really good of Microsoft to have released the patches so quickly," said Ullrich, whose organization had been recommending that companies download a third-party patch released by a Belgian security expert instead of waiting for Microsoft's scheduled Jan. 10 update.
"So far as we can tell, the [third-party] patch does not interfere with Microsoft's patch," Ullrich said. But it is better for those who have installed the unofficial patch to uninstall it after they have implemented the Microsoft patch, he said.
"It can only hurt at that point" to have both patches, Ullrich said, adding that SANS's ISC has posted details on its Web site telling users who may have installed any of the earlier patches or work-arounds how to update to the official Microsoft release.
Chris Christiansen, an analyst at IDC in Framingham, Mass., said the early move by Microsoft to release the patch is not a surprise because the company has "grown much more responsive over the last few years to security vulnerabilities." The company created its regularly scheduled update cycle in response to earlier customer concerns about previous piecemeal efforts and is now breaking from its regular schedule because of the severity of this vulnerability, he said.
"I see this as a good thing, that they see this as a schedule that needs to be broken" in this case, Christiansen said.
"We are very excited and glad that Microsoft broke its usual schedule" for releasing patches, said Matt Kesner, chief technology officer at Fenwick & West LLP, a Mountain View, Calif.-based law firm. IT staffers at the firm met today to discuss plans for testing and rolling out the patches on an emergency basis, Kesner said.
Fenwick & West had already looked at Microsoft's work-arounds for the flaw but had been unsure of their efficacy. At the same time, the law firm was reluctant to download any unofficial third-party patch to fix the problem.
The government of Virginia's Arlington County has already begun testing the patches and plans to roll them out as quickly as possible, starting with its most critical systems first, said Dave Jordan, chief information security officer for the county government.
Alan Paller, research director at SANS, said he is "pleasantly surprised" that Microsoft issued the patch today after company officials insisted it wouldn't be released until next Tuesday. "Four days early is good," Paller said. "Four days after the announcement [of the exploit] would have been better. Two days would have been even better. It's a resource issue. Are they putting the people together in place to protect their customers? That's what the whole issue is about to me.
"If a really big attack came," Paller said, "and they had to wait 15 days [to release a patch], what would you say, 'Oops?'"
Pete Lindstrom, an analyst at Spire Security in Malvern, Pa., said the patch should give Windows users peace of mind, but it could also lull them into a false sense of security. Instead of focusing on individual flaws, users need to look at overall security issues to better protect themselves and their companies, he said.
"I think people focus on individual vulnerabilities because the jury is out on what a strategic vulnerability approach should look like," Lindstrom said. "There's no reason for people to focus on this particular vulnerability except that this is the one we're focusing on."
The WMF issue does indeed highlight the need for companies to have a security strategy that is not overly dependent on a vendor's ability to get patches out quickly, said the director of information security at a speciality retailer chain in California, who requested anonymity.
"It verifies the point that it is not necessarily only the vendors themselves but a number of different avenues" that companies need to turn to for fixes to some problems, he said.
In this case, rather than wait for Microsoft's official fix, the retailer relied on information from various online bulletin boards to implement a variety of preventive controls, including URL, attachment and image filters and intrusion-detection systems, he said.
The company also tested the third-party patch and had made the decision to implement it on critical systems if the need arose, but then Microsoft said it would release its own fix for the vulnerability early.
Dan Keldsen, an analyst at Boston-based Delphi Group, a Perot Systems company, said Microsoft "didn't have much of a choice in releasing [a patch]. It's not like they have great goodwill in the security industry anyhow."
Computerworld's Todd R. Weiss contributed to this report..
For more on the WMF vulnerability, see:
- "WMF FAQ: What you need to know"
- "Pre-release Microsoft patch for WMF flaw leaked"
- "Attempts to exploit WMF vulnerability by IM multiply"
- Computerworld's WMF continuing coverage page