Microsoft details patch, efforts to plug WMF vulnerability

Microsoft on Friday hosted a Web conference to detail the patch and the timing of its release for a lingering Windows vulnerability that caused a flap this week among users and security experts.

The company on Thursday rushed into release patch MS06-001 (download here) for a flaw in the Microsoft Windows Metafile (WMF) image-rendering engine. The vulnerability could allow a hacker to take over a desktop or server. It was Microsoft’s first patch of the year.

Microsoft’s delayed response in providing a patch brought heat from security experts who said the vendor’s response was too slow. The company knew about the patch for more than a week and first said it would not provide a fix until its regular monthly patch release slated for Jan. 10. Company officials also said they were reacting to “strong customer sentiment that the release should be made available as soon as possible.”

Microsoft said it found out about the vulnerability on Dec. 27 and spent Dec. 28 to Jan. 5 analyzing, assessing and responding to the vulnerability and finalizing the patch, which was released on Jan. 5.

Debby Fry Wilson, a director in Microsoft’s Security Response Center, said the patch was produced in record time compressing several weeks of work into eight days.

“This is the fastest [we have produced a patch] by a significant margin,” she said, adding that testing is what consumes the most time. The patch was produced in 23 languages.

Microsoft officials said when they realized there were active exploits in the wild they focused all of their security resources on developing the patch.

“We were always working to get it done as fast as possible,” said Fry Wilson. “Our best estimation was that if we worked around the clock we would be fortunate to get this patch in our Jan. 10 release cycle. Fortunately in testing, we had very smooth sailing with no regressions to deal with or failure with application compatibility.”

When asked how often that happens, she would only say “we were very fortunate.”

The threat presented by the WMF vulnerability was perceived by security experts to be so severe that the SANS Institute, a security organization that monitors Internet threats, took the unusual step of offering a WMF patch of its own for Windows XP and Windows 2000. Security vendor Eset, also jumped in with a WMF patch of its own.

Microsoft said during the Web cast that the vulnerability was rated critical for Windows 2000 SP4, XP SP1 and SP2, Windows Server 2003 and Server 2003 SP1. It was not rated critical for Windows 98, 98 SE or ME.

“In this case, Microsoft is taking too long,” said Johannes Ullrich, chief research officer at SANS Institute.

While Microsoft does not bind users to any contractual limitation on using third-party patches, the company urged users to wait for its official patch.

“We looked at the SANS patch, but we had not given it the thorough analysis or review that would have put us in a position to qualify it in any way,” said Fry Wilson. She also said timing on the patch was driven by Microsoft’s research that showed attacks were not spreading rapidly.

“We have been very consistent, although this is a serious issue, it is not of the nature of a worm. It does require user interaction,” said Fry Wilson. She said Microsoft has been tracking WMF exploits using its own anti-virus engine, forensic analysis and help from its anti-virus partners.

“When the incident is completed and all the data is in the evidence will show, that although this was a serious issue, it was not something on the scale that has been reported by some commentators in the industry,” said Fry Wilson.

Corporate users running Windows Server Update Services will receive the update automatically. Microsoft said the update is supported by Microsoft Baseline Security Analyzer 2.0, Systems Management Server, and Software Update Services. Corporate users also can manually download the patch from here.

Consumers who use Automatic Updates will receive the update automatically. Users also can manually download the update from Microsoft Update or Windows Update.

Consumers can get more information here.