GuidesMicrosoft Patches WMF Flaw Early

Microsoft Patches WMF Flaw Early

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

If enough people complain, even software giants like Microsoft heed their call.
To address customer complaints and users going to unofficial patches for the answer, Microsoft has fixed a critical flaw five days early.

That’s the takeaway from yesterday’s advisory from Redmond, which said it would patch a critical vulnerability in Windows metafile (WMF) Thursday, earlier than originally planned.

The latest patch comes after security experts discovered a critical vulnerability in the WMF last week that could potentially open up a user’s computer to remote exploitation and make changes to the system. Originally, the company intended to release the patch next week during its regularly scheduled Patch Tuesday security vulnerability update.

But Microsoft said Thursday it had moved the timetable up because it finished up tests early on the patch, as well as to respond “to strong customer sentiment that the release should be made available as soon as possible,” according to the advisory.

The security patch and details can be found here.

Since the vulnerability was first discovered, some Microsoft customers were downloading unofficial patches from third-party organizations while they awaited an official patch.

IDA Pro author Ilfak Guilfanov posted a hotfix on his blog, while ESET and patch management vendor Patchlink released interim patches today. Third-party patches can sometimes spell trouble of a different sort for customers in terms of software incompatibility issues.

In the case of Guilfanov’s patch, a fix for the WMF flaw was in high demand with computer owners. He wrote on his blog that the hotfix page needed to be stripped to the bare minimum because of the “incredibly high load” the page has experienced since the hotfix was publicized.

But downloading and installing installing patches on computers could have the unintended consequence of dealing damage to software applications.

“McAfee does not endorse, at this time, third-party patches,” said Craig Schmugar, virus research manager at the security company’s Anti-Virus Emergency Response Team (AVERT), despite seeing evidence of widespread infection of the WMF exploit since releasing an anti-virus definition 12 hours after discovery.

In a week’s time, he said, the particular signature ascribed to the WMF exploit was detected on 156,000 computers.

The reason, Schmugar said, is compatibility and quality assurance, reasoning backed up by Microsoft. In its security advisory published last week, Microsoft officials cautioned users against installing third-party patches, citing possible compatibility issues.

“As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software,” the advisory states. “With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft’s security updates are offered in 23 languages for all affected versions of the software simultaneously. Microsoft cannot provide similar assurance for independent third party security updates.”

Sometimes, however, drastic measures such as installing an unofficial patch are necessary. Tom Liston of the SAN Security Institute’s Internet Storm Center Web site called the WMF vulnerability “very, very bad” and said users cannot wait for the official patch from Microsoft.

Dean Turner, senior manager for security response at Symantec, wouldn’t come out and recommend users against installing unofficial patches, but warned network administrators to use caution.

“At the end of the day organizations need to be very careful about deploying patches of any kind, unofficial or otherwise,” he said. “I would recommend that if people are going to install a patch that they test it beforehand.”

He did recommend administrators apply Microsoft’s official patch as soon as possible.

Patchlink sent e-mails to customers this morning with several different courses of action its customers can take to address the WMF vulnerability.

According to Chris Andrew, Patchlink vice president of security technologies, the company wanted to provide several options for its customers, who could then pick the method they wanted to take. The company, like many security vendors, has also released workarounds to close down some of the avenues of attack the WMF exploit might make.

“This is a very new development that customers need to be aware of and need to look at,” he said.

This article was originally published on

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends & analysis

Latest Posts

Related Stories