Thursday 5 January 2006

Breaking news: Microsoft relents on WMF patch date

This just in from the Microsoft Security Response Center:

Important Information for Thursday 5 January 2006

Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week.

Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned.

Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release.

In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.

Microsoft's monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft's efforts to shut down malicious Web sites and with up-to-date signatures form anti-virus companies.

The security update will be available at 2:00 pm PT as MS06-001.

Enterprise customers who are using Windows Server Update Services will receive the update automatically. In additional the update is supported Microsoft Baseline Security Analyzer 2.0, Systems Management Server, and Software Update Services. Enterprise customers can also manually download the update from the Download Center.

Microsoft will hold a special Web cast on Friday, January 6, 2006, to provide technical details on the MS06-001 and to answer questions. Registration details will be available at http://www.microsoft.com/technet/security/default.mspx.

Microsoft will also be releasing additional security updates on Tuesday, January 10, 2006 as part of its regularly scheduled release of security updates.

Wednesday 4 January 2006

WMF security hole: take action!

Update: get the patch now from Microsoft Update. (Do not pass Go. Do not collect 200 pieces of silver.)

Late last year, Microsoft released advisory 912840 - Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution. Summary: there's a problem with displaying pictures that can give the bad guys the keys to your PC. Ouch.

Make sure your anti-virus and anti-spyware definitions are up-to-date!

While there is no patch yet, Microsoft suggests a workaround -- Start|Run and then type this:

regsvr32 -u %windir%\system32\shimgvw.dll

The vulnerability appears to be in gdi32.dll and can even be triggered if a full-text indexing engine such as Google Desktop scans a saved WMF (Windows Metafile).

Microsoft's official position is that there's no patch until Patch Tuesday, January 10. Its statement notes that:

Creating security updates that effectively fix vulnerabilities is an extensive process ... it must be tested with the different operating systems and applications it affects, then localized for many markets and languages across the globe.

Note that security researcher Ilfak Guilfanov has released an unofficial patch, which has been approved by the Internet Storm Center and F-Secure, among others. Microsoft's official position on what it calls "third-party patches" amounts to:

It is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software.

Even Scobe seems to be toeing the party line.

However, as F-Secure points out:

Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.

Be careful out there.


Tags: , , , .