Security threats Toolkit

Microsoft U-turn as WMF patch released early

Tags:
Security,
Microsoft,
Patching,
WMF

Joris Evers CNET News

Published: 05 Jan 2006 21:35 GMT

Microsoft released a fix for a serious security vulnerability in Windows on Thursday, several days before the patch's scheduled delivery.

The company is breaking with its monthly patch cycle because it completed testing of the security update earlier than it anticipated, it said in a note on its Web site. "In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible," the company said.

Security bulletin MS06-001, originally scheduled for Tuesday, is the first security bulletin of this year and fixes a vulnerability in the way Windows renders Windows Meta File images. The bug was discovered last week and is increasingly being used in what Microsoft calls "malicious and criminal attacks on computer users."

Critics had called for Microsoft to release the patch as soon as possible. With people unable to patch their systems, the flaw could provide an opportunity for cybercriminals to launch increasingly sophisticated attacks on users, they have said.

Some security experts, in an unusual move, even recommended that users apply a third-party patch developed by European programmer Ilfak Guilfanov.

No fix for Windows 98, ME
Also on Thursday, Microsoft said that older versions of Windows are immune to the latest wave of attacks targeting the operating system.

While Windows 2000, Windows XP and Windows Server 2003 are vulnerable, Windows 98 and Windows Millennium Edition are not exposed to the same threats that exploit the WMF flaw, according to an update to a Microsoft security advisory on the issue.

Microsoft initially also listed the older versions of the operating system as equally vulnerable, but has now backpedalled on that, giving users of older Windows versions a reprieve.

"Although Windows 98, Windows 98 Second Edition and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a critical severity rating for these versions," the company said in its updated advisory.

In more bad news for vulnerable PCs, Microsoft warned of another way for attackers to use the flaw--via a malicious image embedded in a Microsoft Office document. The company previously said that an attack could only occur if a user visited a Web site containing a malicious image or opened such a file attached to an e-mail.

Microsoft does not say whether the older Windows versions could be susceptible to less-serious attacks. Because the issue is not deemed critical for Windows 98 and ME, Microsoft no longer plans to issue a security fix for these OSes. "Per the support life cycle of these versions, only vulnerabilities of critical severity would receive security updates," the company said.