Microsoft Buckles To Pressure, Releases WMF Patch Early

Facing mounting pressure for a patch to the Windows Meta File vulnerability, Microsoft issued a fix on Jan. 5, five days earlier than expected. Besides calming fears that attackers could use WMF images to execute malicious code on victims’ PCs, Microsoft hoped to quell a controversy over the use of unauthorized patches with its software.

A piece of code written by Russian programmer Ilfak Guilfanov–and endorsed by some security experts–to protect computers against WMF exploits reached unprecedented popularity for a third-party fix. It also sparked controversy over whether users were better served waiting for Microsoft or trusting an unauthorized patch. The vulnerability stems from how attackers could use the Windows’ graphics rendering engine that handles Windows Meta File images to launch malicious code on users’ computers via these images. Microsoft acknowledged the vulnerability on Dec. 28 but said it wouldn’t make a fix available until Jan. 10, which would have given hackers 13 days to get creative embedding attacks within WMF images. The bug spurred more than 200 exploits as of last week, according to security firm Sophos plc. Microsoft issues emergency patches only under certain circumstances. It initially decided the WMF vulnerability wasn’t an emergency: Its infection rate had stabilized and the risk of infection was ranked as low to moderate, according to Debby Fry Wilson, a director in Microsoft’s security-response unit. But by Thursday, Microsoft completed and released a patch, forgoing its original plan to issue a fix on the second Tuesday of the month, in keeping with its regular schedule of security updates.

Third-party patches and workaround code aren’t unheard of for Microsoft software vulnerabilities, but “this is the first time I can recall where there has been community endorsement of a third-party patch,” Fry says of Guilfanov’s work. “That’s unusual.” Guilfanov, senior developer with Belgian software maker DataRescue, is best known for writing the IDA Pro software that security specialists use to dissect viruses and malware. Another unofficial patch, by a programmer at antivirus vendor Eset Software, was available Jan. 5.


Please enter your comment!
Please enter your name here