Microsoft To Rush Out WMF Patch TodayMicrosoft To Rush Out WMF Patch Today

Beset by criticism for moving too slowly in its efforts to patch the current Windows Metafile, or WMF, vulnerability, Microsoft now says it will make its MS06-001 WMF security update available after 2 p.m. PST on Thursday, five days ahead of schedule.

The company issued an E-mail Thursday afternoon stating that business customers using Windows Server Update Services will receive the update automatically. Consumers who use Automatic Updates will receive the update automatically and do not need to take any additional actions.

In addition, the update is supported by Microsoft Baseline Security Analyzer 2.0, Systems Management Server, and Software Update Services. Business customers also can manually download the update from Microsoft's Download Center.

Prior to Thursday, Microsoft had said it would not issue an emergency patch for the WMF vulnerability because the vulnerability's infection rates had stabilized and the risk of infection was generally seen as low to moderate, says Debby Fry Wilson, a director in Microsoft's security response unit. Although the WMF vulnerability was discovered on December 27, Microsoft said it needed time to properly test its patch.

A pre-release version of the WMF vulnerability patch code had been leaked to a security community site on Wednesday, but Microsoft warned users against using it. Steve Gibson, president of Gibson Research, said in an E-mailed interview that he had downloaded the pre-release patch and tested it. "The updated GDI32.DLL file contained in this patch was built in the evening of December 28th, last Wednesday. It is clear that Microsoft jumped on this problem—and had it resolved—almost immediately."

Microsoft will still release security updates on January 10 as part of its regularly scheduled release of security updates.

The availability of a highly endorsed, but unauthorized, piece of workaround code written by Russian programmer Ilfak Guilfanov, coupled with the number of WMF exploits already discovered, has created waves in Microsoft's normal Patch Tuesday schedule. Experts have been divided over whether it's wise to use Guilfanov's Hexblog code to protect against the WMF vulnerability, which was discovered on December 27. Guilfanov, senior developer with Belgian software maker DataRescue, is best known for writing IDA Pro software used by security specialists to dissect viruses and malware.

Third-party patches or workaround code are not unheard of for Microsoft vulnerabilities, but "this is the first time I can recall where there has been community endorsement of a third-party patch," Fry says of Guilfanov's work. "That is unusual."