- 12 myths about how the Internet works
- Smartphone smackdown: Storm vs. iPhone
- IETF: Should we ignore the Kaminsky bug?
- Top 10 wicked cool algorithms
- How to recession-proof yourself
Amid controversy and customer demand surrounding a flaw in its Windows operating system, Microsoft on Thursday abandoned its announced timetable for supplying a fix and rushed a patch onto its Web site to correct a problem that could allow a hacker to gain control over desktops or servers.
The company said in a statement that it was reacting to “strong customer sentiment that the release should be made available as soon as possible” to patch the flaw in the Microsoft Windows Metafile (WMF) image-rendering engine. Microsoft also was feeling heat from security experts who said the vendor’s response was too slow.
Originally, Microsoft had said it was testing a patch that would be available on Jan. 10, the day of its regular monthly release of patches. Microsoft found out about the WMF exploit on Dec. 27. On Thursday afternoon, the company sent out an advisory saying patch MS06-001, the company’s first patch of the New Year, would be available Thursday, Jan. 5, at 2 p.m. PDT.
Microsoft plans to hold a Web cast on Jan. 6 to provide deployment guidance and answer questions. Users can sign up for the Web cast here.
Users also can consult Microsoft’s Security Advisory 912840.mspx for guidance on how to prevent attacks through exploitation of the WMF vulnerability.
The WMF flaw has been the focus of a so-called zero-day exploit - malicious code taking advantage of the hole in the operating system and either showed users the announcement “Congratulations, you’ve been infected!” before taking over their machines or worked silently in the background seeding the PC with spyware and adware.
The threat presented by the WMF vulnerability was perceived by security experts to be so severe that the SANS Institute, a security organization that monitors Internet threats, took the unusual step of offering a WMF patch of its own for Windows XP and Windows 2000. Security vendor Eset, also jumped in with a WMF patch of its own.
“In this case, Microsoft is taking too long,” said Johannes Ullrich, chief research officer at SANS Institute.
While Microsoft does not bind users to any contractual limitation on using third-party patches, the company urged users to wait for its official patch.
The issue only got more complex when Microsoft mistakenly released a not-fully-tested version of the WMF patch, then telling customers to “disregard the postings.”
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment