Microsoft on Friday hosted a Web conference to detail the patch and the timing of its release for a lingering Windows vulnerability that caused a flap this week among users and security experts.The company on Thursday rushed into release patch MS06-001 (download here) for a flaw in the Microsoft Windows Metafile (WMF) image-rendering engine. The vulnerability could allow a hacker to take over a desktop or server. It was Microsoft\u2019s first patch of the year.Microsoft\u2019s delayed response in providing a patch brought heat from security experts who said the vendor\u2019s response was too slow. The company knew about the patch for more than a week and first said it would not provide a fix until its regular monthly patch release slated for Jan. 10. Company officials also said they were reacting to \u201cstrong customer sentiment that the release should be made available as soon as possible.\u201dMicrosoft said it found out about the vulnerability on Dec. 27 and spent Dec. 28 to Jan. 5 analyzing, assessing and responding to the vulnerability and finalizing the patch, which was released on Jan. 5.Debby Fry Wilson, a director in Microsoft\u2019s Security Response Center, said the patch was produced in record time compressing several weeks of work into eight days.\u201cThis is the fastest [we have produced a patch] by a significant margin,\u201d she said, adding that testing is what consumes the most time. The patch was produced in 23 languages.Microsoft officials said when they realized there were active exploits in the wild they focused all of their security resources on developing the patch.\u201cWe were always working to get it done as fast as possible,\u201d said Fry Wilson. \u201cOur best estimation was that if we worked around the clock we would be fortunate to get this patch in our Jan. 10 release cycle. Fortunately in testing, we had very smooth sailing with no regressions to deal with or failure with application compatibility.\u201dWhen asked how often that happens, she would only say \u201cwe were very fortunate.\u201dThe threat presented by the WMF vulnerability was perceived by security experts to be so severe that the SANS Institute, a security organization that monitors Internet threats, took the unusual step of offering a WMF patch of its own for Windows XP and Windows 2000. Security vendor Eset, also jumped in with a WMF patch of its own.Microsoft said during the Web cast that the vulnerability was rated critical for Windows 2000 SP4, XP SP1 and SP2, Windows Server 2003 and Server 2003 SP1. It was not rated critical for Windows 98, 98 SE or ME.\u201cIn this case, Microsoft is taking too long,\u201d said Johannes Ullrich, chief research officer at SANS Institute.While Microsoft does not bind users to any contractual limitation on using third-party patches, the company urged users to wait for its official patch.\u201cWe looked at the SANS patch, but we had not given it the thorough analysis or review that would have put us in a position to qualify it in any way,\u201d said Fry Wilson. She also said timing on the patch was driven by Microsoft\u2019s research that showed attacks were not spreading rapidly.\u201cWe have been very consistent, although this is a serious issue, it is not of the nature of a worm. It does require user interaction,\u201d said Fry Wilson. She said Microsoft has been tracking WMF exploits using its own anti-virus engine, forensic analysis and help from its anti-virus partners.\u201cWhen the incident is completed and all the data is in the evidence will show, that although this was a serious issue, it was not something on the scale that has been reported by some commentators in the industry,\u201d said Fry Wilson.Corporate users running Windows Server Update Services will receive the update automatically. Microsoft said the update is supported by Microsoft Baseline Security Analyzer 2.0, Systems Management Server, and Software Update Services. Corporate users also can manually download the patch from here.Consumers who use Automatic Updates will receive the update automatically. Users also can manually download the update from Microsoft Update or Windows Update.Consumers can get more information here.