Microsoft Releases Fix for WMF Flaw Ahead of Schedule

Says user pressure influenced decision to change course

Citing "very strong customer sentiment" and an earlier-than-expected wrap-up of testing work, Microsoft Corp. last week released a patch for a flaw in a Windows image-processing module after initially saying the fix wouldn't be issued until tomorrow.

Microsoft's reversal of course on Thursday came as malicious hackers ratcheted up their attempts to exploit the flaw and IT managers and security analysts differed on whether corporate users should install an unofficial third-party fix or wait for the software vendor's patch.

Some IT executives interviewed by Computerworld said that before Microsoft issued the patch, they were in a quandary over how best to protect their systems against the Windows Metafile flaw.

"We frankly don't know quite what to do," said Matt Kesner, chief technology officer at Fenwick & West LLP. "To use the old colloquialism, we are damned if we do and damned if we don't."

Waiting until this week for Microsoft's patch could have exposed the Mountain View, Calif.-based law firm's systems to exploits targeting the WMF vulnerability, Kesner said. Fenwick & West's IT staffers were unsure whether the work-around procedures initially suggested by Microsoft would have provided sufficient protection, he said.

But, Kesner added, installing an unofficial patch on the law firm's Windows servers could result in unforeseen consequences and raise potential support issues with Microsoft if the systems had technical problems in the future.

After hearing of the software vendor's change in plans, Kesner said he was "very excited and glad that Microsoft broke its usual schedule" of releasing patches on the second Tuesday of each month. IT workers at Fenwick & West met on Thursday to discuss plans for testing and rolling out the WMF patch on an emergency basis.

Dave Jordan, chief information security officer for Virginia's Arlington County, said Thursday afternoon that staffers there had already started testing different versions of Microsoft's patch and planned to deploy them as quickly as possible.

WMF is a 16-bit image format that is processed by the graphics-rendering engine in Windows. The flaw came to light in late December after security vendors began detecting exploit attempts. Attackers could use the vulnerability to run malicious code on vulnerable machines, steal data from infected systems and turn the computers into zombies for relaying spam and other malware, according to advisories from Microsoft and security researchers.

There were no known reports of widespread attacks on corporate systems, and Microsoft listed 11 security vendors that claimed their antivirus tools could protect users from attempts to exploit the flaw.

But some security vendors pegged the total number of attack methods targeting the vulnerability at more than 200 as of Thursday. The escalating number of attacks prompted some security researchers to recommend that companies immediately download the unofficial patch developed by Ilfak Guilfanov, a programmer who works in Belgium.

For example, Bethesda, Md.-based SANS Institute made Guilfanov's patch available on its Web site and urged IT managers to download it. The unofficial patch had been downloaded more than 120,000 times as of last Wednesday, said Johannes Ullrich, chief technology officer at the Internet Storm Center threat-monitoring service operated by SANS.

F-Secure Corp., one of the companies on Microsoft's list of antivirus vendors that can block WMF attacks, also recommended the use of Guilfanov's patch after testing and installing it internally. The U.S. Computer Emergency Readiness Team provided a link to the patch on its site but urged companies to do their own risk assessments. Wary of Third Parties

Others said that despite the potential seriousness of the WMF flaw, users should avoid installing any unsupported patches because such code is unlikely to have been fully tested for application compatibility and quality.

"It is never a good idea to deploy an untested third-party patch. It's an invitation for bigger problems," said Andrew Plato, president of Anitian Enterprise Security, a systems integration and consulting firm in Beaverton, Ore. He added that the WMF vulnerability "is bad, but no worse than a hundred other exploits, many of which remain undisclosed."

Tom Robertson, senior vice president of IT at Charter Bank in Bellevue, Wash., said his staff was updating the bank's antivirus and antispam tools, as well as its content filters and network intrusion-protection systems while waiting for Microsoft's fix. But he said the bank was unlikely to install any third-party Windows patches.

The WMF issue highlights the need for users to have an IT security strategy that isn't overly dependent on a vendor's ability to get patches out quickly, said the director of information security at a specialty retail chain in California.

Instead of simply waiting for Microsoft's patch, the retailer relied on information from online bulletin boards to implement preventive controls such as intrusion-detection systems and URL, attachment and image filters, said the security director, who asked not to be identified. He said the company also had tested Guilfanov's patch and decided that it could be implemented on critical systems if the need arose.

For more on the WMF vulnerability, see:


Key details about the Windows Metafile flaw:

What it is: A vulnerability caused by the manner in which the Windows Graphics Rendering Engine handles WMF files.

Potential risks: Could enable malicious hackers to take full administrative control of vulnerable systems.

Affected software: Windows 2000, Windows XP and Windows Server 2003.

Possible exploit methods: Malicious Web pages, specially crafted e-mail attachments or Word documents with embedded WMF images.

Copyright © 2006 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon