Microsoft Says WMF Patch Could Come EarlyMicrosoft Says WMF Patch Could Come Early

As Microsoft's customers wrestle with ways to protect their systems from falling victim to the Windows Metafile (WMF) vulnerability, the company said Thursday it will issue its long-anticipated WMF patch as soon as it's done—which means possibly sooner than the previously announced "patch Tuesday" date of Jan. 10.

Microsoft issues emergency patches under certain circumstances, and such a patch was considered for the WMF vulnerability. But the WMF vulnerability's infection rates have stabilized, and the risk of infection is generally seen as low to moderate, says Debby Fry Wilson, a director in Microsoft's security response unit. Microsoft's decision to release the WMF patch along with the rest of its regularly scheduled patch download on Tuesday has nothing to do with any additional cost the company might incur from an emergency patch download, Fry says. In fact, she says that if the patch is ready prior to Jan. 10, it will be issued.

Whether this will happen is cause for speculation. Microsoft claims, via its Security Response Center blog, that the company is continuing to work on finalizing a security update for the vulnerability in WMF. In the blog, Security Response Center operations manager Mike Reavey also acknowledges that, in Microsoft's effort to "put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site." Microsoft recommends its customers disregard the posting and wait until a fully tested patch is issued next week.

The availability of a highly endorsed, but unauthorized, piece of workaround code written by Russian programmer Ilfak Guilfanov, coupled with the number of WMF exploits already discovered, has created waves in Microsoft's normal patch-issuing schedule. Experts have been divided over whether it's wise to use Guilfanov's Hexblog code to protect against the WMF vulnerability, which was discovered on Dec. 27. Guilfanov, senior developer with Belgian software maker DataRescue, is best known for writing IDA Pro software used by security specialists to dissect viruses and malware.

Third-party patches or workaround code are not unheard of for Microsoft vulnerabilities, but "this is the first time I can recall where there has been community endorsement of a third-party patch," Fry says of Guilfanov's work. "That is unusual."