Microsoft Corp. said today that it does not plan to release a fix for the Windows Metafile (WMF) flaw until Jan. 10, when a patch will be included as part of the company's scheduled monthly updates for January.
Microsoft has completed development of a patch for the flaw and is now testing it for quality and application compatibility, the company said in an advisory updating an earlier advisory released last week.
"Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement," the company said in its statement. " Although the issue is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread."
Corporate IT departments should do a risk assessment before deciding whether to wait for the official patch or not, officials at SANS Institute's Internet Storm Center (ISC) said in a note this morning. "What would be the cost to your company if you are compromised between now and January 10 if the update is released as mentioned?" the note said in direct language.
"Can you really afford to do nothing? Are you willing to gamble that unregistering the dll is sufficient or do you go with defense in depth and apply the unofficial patch? You make the choice," ISC officials said.
Yesterday, security researchers at the ISC urged Windows users to install an unofficial security patch now and not wait for Microsoft to make its move.
Their recommendation followed a new wave of attacks on a flaw in the way Windows 98 through XP versions of the operating system handle malicious files in the WMF format. One such attack arrives in an e-mail message titled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file, said security research companies including iDefense Inc. and F-Secure Corp. (see "Risk of Windows WMF attacks jumps 'significantly,' security firm warns").
Even though the file is labeled as a JPEG, Windows recognizes the content as a WMF and attempts to execute the code it contains.
Microsoft said in an advisory last week that to exploit a WMF vulnerability by e-mail, "customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability."
However, simply viewing the folder that contains the affected file, or even allowing the file to be indexed by desktop search utilities such as Google Desktop, can trigger its payload, F-Secure Chief Research Officer Mikko Hypponen wrote in his company's blog.
In addition, source code for a new exploit was widely available on the Internet by Saturday, allowing the creation of new attacks with varied payloads.The file "HappyNewYear.jpg," for example, attempts to download the Bifrose back door, researchers said.
Alarmed by the magnitude of the threat, staff at the ISC worked over the weekend to validate and improve an unofficial patch developed by Ilfak Guilfanov to fix the WMF problem, according to an entry in the Handler's Diary, a running commentary on major IT security problems on the ISC Web site
"We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective," Tom Liston wrote in the diary.
"You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected," Liston wrote.
In the diary, ISC provided a link to the version of the patch it has examined, including a version designed for unattended installation on corporate systems.
While ISC recognizes that corporate users will find it unacceptable to install an unofficial patch, "acceptable or not, folks, you have to trust someone in this situation," Liston wrote.
Microsoft representatives could not be reached for comment this morning.
Guilfanov published his patch on his Web site on Saturday. His introduction to it can be found at http://www.hexblog.com/2005/12/wmf_vuln.html.
F-Secure's Hypponen highlighted Guilfanov's patch in his company blog on Saturday night and yesterday echoed the ISC's advice to install the patch.
Not all computers are vulnerable to the WMF threat: Those running nonWindows operating systems are not affected.
According to Ken Dunham, director of the rapid response team at iDefense, Windows machines running Windows Data Execution Prevention (DEP) software are at least safe from the WMF attacks seen so far. However, Microsoft said that software DEP offered no protection from the threat, although hardware DEP may help.
For more on this, see "How to protect against Windows WMF attacks".
Computerworld's Jaikumar Vijayan contributed to this report.