Microsoft patches .wmf vuln

By Matt Whipp

Posted on 6 Jan 2006 at 11:50

Microsoft has made a patch available to address the .wmf vulnerability that was already being targeted by the virus underground.

The patch was released yesterday in the US following the security team finishing their testing ahead of schedule. Microsoft's monthly patch update release is due next Tuesday, so the decision to release this patch just four or five days ahead of the normal schedule indicates the serious nature of the threat.

Mike Nash Corporate Vice President responsible for security at Microsoft wrote in the team blog that the decision to release ahead of schedule was driven by talking to customers and that they had indicated a preference to have the patch available out of cycle.

Customers with automatic update turned on will automatically receive the update. At an enterprise level, Nash advised putting the patch through exactly the same testing procedures run on any security update before rolling it out.

But he is confident of the robustness and quality of his team's work. 'We have an update that we believe in. The team worked very hard to run all of the key scenarios that we are concerned about. While we would always like to have more time, we are confident in the quality of the update.'

'With the update available today, you certainly have the choice of deploying now or waiting until your normal release process,' he wrote. 'If it were my decision, I would move up the schedule. That is what we are doing in our IT operation here at Microsoft.'

The vulnerability, which results from problems in the way the Graphics Rendering Engine handles .wmf files, affects Windows from 2000 to XP and Server 2003 and could lead to an attacker having complete, remote control over a successfully exploited system.

The problems were published publicly and caused a furore in the security industry as Microsoft had not been given time to address the problem before details were disclosed.

Just days after the problems came to light on 27 December, Finnish security company F-Secure noted a growing number of Trojan programs being sent out, followed by full email worms. And it was long before high-level kits were available to enable even the novice to write sophisticated viruses exploiting the hole. UK security company Sophos noted more than 200 different attempts at exploiting the vulnerability since its disclosure.

Prior to Microsoft's official release, a patch was made available by Windows expert Ilfak Guilfanov, which a number of security vendors were recommending as a temporary fix.

However, security experts, including Guilfanov, advise using security fixes available from the original vendor once available - in this case Microsoft's. F-Secure has said it believes that installing Microsoft's patch over the that from Guilfanov has no negative impact on affected systems.

Microsoft's Mike Nash said: 'Actually creating the update was a straight forward process. The challenge was testing the update on all of the supported versions of Windows and the 23 languages we support and making sure that the set of applications that might be effected by this update are not negatively affected by this change.'

More information and the patch itself can be found at the Microsoft website.