Amid controversy and customer demand surrounding a flaw in its Windows operating system, Microsoft abandoned its announced timetable for supplying a fix and rushed a patch onto its Web site to correct a problem that could allow a hacker to gain control over desktops or servers.
The company said in a statement yesterday that it was reacting to "strong customer sentiment that the release should be made available as soon as possible" to patch the flaw in the Microsoft Windows Metafile (WMF) image-rendering engine. Microsoft also was feeling heat from security experts who said the vendor's response was too slow.
Timetable Moves Up
Originally, Microsoft had said it was testing a patch that would be available on January 10, the day of its regular monthly release of patches. Microsoft found out about the WMF exploit on December 27, and experts warned that waiting for a patch would be dangerous. Patch MS06-001 is the company's first patch of the New Year.
The WMF flaw has been the focus of a so-called zero-day exploit--malicious code that took advantage of the hole in the operating system and that either showed users the announcement "Congratulations, you've been infected!" before taking over their machines or worked silently in the background seeding the PC with spyware and adware.
The threat presented by the WMF vulnerability was perceived by security experts to be so severe that the SANS Institute, a security organization that monitors Internet threats, took the unusual step of offering a WMF patch of its own for Windows XP and Windows 2000. Security vendor Eset also jumped in with a WMF patch.
"In this case, Microsoft is taking too long," said Johannes Ullrich, chief research officer at SANS Institute.
Patch Confusion
While Microsoft does not bind customers to any contractual limitation on using third-party patches, the company urged users to wait for its official patch.
The issue only got more complex when Microsoft mistakenly released a not-fully-tested version of the WMF patch, then telling customers to "disregard the postings."
In its statement, Microsoft that said its "development and testing teams have put forth a considerable effort to address this issue..."
Corporate users running Windows Server Update Services will receive the update automatically. Microsoft said the update is supported by Microsoft Baseline Security Analyzer 2.0, Systems Management Server, and Software Update Services. Corporate users also can manually download the patch.
Consumers who use Automatic Updates will receive the update automatically. Users also can manually download the update from Microsoft Update or Windows Update. Go here for more information.
Microsoft said that it would continue to monitor attack data, but that its research so far indicates exploits are limited and can be blocked using antivirus software or workarounds.
Microsoft Executive Comments
In an interview with Computerworld last night, Debby Fry Wilson, director of the Microsoft Security Response Center, talked about her company's efforts to get the patch out and about the security community's response to the whole issue.
"This is the fastest we have ever produced and tested an update at Microsoft," she said. "We have completed it in approximately nine to ten days. The development of the code fix actually ended fairly quickly."
Wilson added, "What takes a long time is testing through all of the complex testing matrices that we do today. We do that because customers have been very adamant that they want to install an update just one time. The other complexity, of course, is that we released simultaneously in 23 different languages and for all platforms."
She said that early Microsoft workarounds may not have been the most effective means of protection for consumers but worked for enterprises, and also said that her company's analysis "remains consistent that the threat of infection had been contained and was not spreading rapidly."
Jaikumar Vijayan of Computerworld contributed to this story.
"Microsoft Rushes Out Patch for Windows Metafile Flaw" Comments