Microsoft gets ahead of itself with WMF patch

Microsoft released a fix for a serious security vulnerability in Windows on Thursday, several days before the patch's scheduled delivery.

The company is breaking with its monthly patch cycle because it completed testing of the security update earlier than it anticipated, it said in a note on its website. The company said: "In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."

Security bulletin MS06-001, originally scheduled for Tuesday, is the first security bulletin of this year and fixes a vulnerability in the way Windows renders Windows Meta File (WMF) images. The bug was discovered last week and is increasingly being used in what Microsoft calls "malicious and criminal attacks on computer users".

Critics had called for Microsoft to release the patch as soon as possible. With people unable to patch their systems, the flaw could provide an opportunity for cyber criminals to launch increasingly sophisticated attacks on users, they have said.

In an unusual move, some security experts even recommended users apply a third-party patch developed by European programmer Ilfak Guilfanov.

The MS06-001 update was released 10 days after Microsoft learned of the vulnerability, the fastest turnaround ever for a Microsoft patch, company representatives said.

Microsoft does not know of any widespread attacks on Windows users but it urges customers to upgrade and deems the issue "critical".

Debby Fry Wilson, a director in Microsoft's Security Response Center, said in an interview: "Although the attacks based on WMF are very real, and the exploitation and the threats are evolving on a very fast basis, our analysis is consistent that the infection rate is low to moderate. However, the threat is very real, and customers should take the action of deploying this update as soon as possible."

But others say Windows users face an onslaught of attacks. Security monitoring company Websense said it has identified thousands of websites that attempt to exploit the flaw. Additionally, instant messaging worms, Trojan horses and spammed emails with malicious image attachments have surfaced, according to experts.

Also, hackers have been quick to craft tools which make it easy to create malicious image files that take advantage of the flaw, experts said. These new files can then be used in attacks. The tools themselves can be downloaded from the internet.

One security expert applauded Microsoft for releasing the fix early. Mikko Hypponen, chief research officer at security company F-Secure, said: "Everybody was hoping they would get the patch out before a major attack would start. Now it looks like they are succeeding in doing just that. Well done."

F-Secure said in its company blog that it has tested the patch and it appears to coexist with the Guilfanov fix.

Also on Thursday, Microsoft said older versions of Windows - which it had initially listed as equally vulnerable - are immune to the latest wave of attacks targeting the operating system.

While Windows 2000, Windows XP and Windows Server 2003 are vulnerable, Windows 98 and Windows ME are not exposed to the same threats that exploit the WMF flaw, according to an update to a Microsoft security advisory on the issue.

The WMF code in the older versions of Windows isn't flawless but the vulnerability is much harder to exploit, said Mike Reavey, an operations manager at the Microsoft Security Response Center.

Reavey said: "There are a lot of mitigating factors, a lot of initial user action. It is a much different attack. You may be eventually able to get to the code but it certainly would not be on the level of critical."

Hypponen also said the older Windows versions are not currently under attack. "Although the WMF bug is there [in the older versions], there's no known code at the moment to exploit it," he said.

Still, releasing a patch for Windows 98 and Windows ME would be the right thing to do, according to Mike Murray, director of vulnerability and exposure research at nCircle in San Francisco. "Even Microsoft acknowledges that the vulnerability exists in those OSes, [so] someone will figure out how to exploit it," he said.

By not fixing the older versions of Windows, Microsoft is leaving its customers out in the cold, Murray added. "In a way, they are forcing customers to upgrade, saying that you can continue to use those older operating systems if you want to be vulnerable," he said.

In more bad news for vulnerable PCs, Microsoft warned of another way for attackers to use the flaw - via a malicious image embedded in a Microsoft Office document. The company previously said an attack could only occur if a user visited a website containing a malicious image or opened such a file attached to an email.

Because the issue is not deemed critical for Windows 98 and ME, Microsoft no longer plans to issue a security fix for these OSes. The company said: "Per the support lifecycle of these versions, only vulnerabilities of critical severity would receive security updates."

Joris Evers writes for CNET News.com