Software // Enterprise Applications
04:05 PM

Microsoft Buckles To Pressure, Releases WMF Patch Early

Facing mounting pressure for a patch to the Windows Meta File vulnerability, Microsoft issued a fix on Jan. 5, five days earlier than expected. Besides calming fears that attackers could use WMF images to execute malicious code on victims' PCs, Microsoft hoped to quell a controversy over the use of unauthorized patches with its software.

A piece of code written by Russian programmer Ilfak Guilfanov--and endorsed by some security experts--to protect computers against WMF exploits reached unprecedented popularity for a third-party fix. It also sparked controversy over whether users were better served waiting for Microsoft or trusting an unauthorized patch. The vulnerability stems from how attackers could use the Windows' graphics rendering engine that handles Windows Meta File images to launch malicious code on users' computers via these images. Microsoft acknowledged the vulnerability on Dec. 28 but said it wouldn't make a fix available until Jan. 10, which would have given hackers 13 days to get creative embedding attacks within WMF images. The bug spurred more than 200 exploits as of last week, according to security firm Sophos plc.

Microsoft issues emergency patches only under certain circumstances. It initially decided the WMF vulnerability wasn't an emergency: Its infection rate had stabilized and the risk of infection was ranked as low to moderate, according to Debby Fry Wilson, a director in Microsoft's security-response unit. But by Thursday, Microsoft completed and released a patch, forgoing its original plan to issue a fix on the second Tuesday of the month, in keeping with its regular schedule of security updates.

Third-party patches and workaround code aren't unheard of for Microsoft software vulnerabilities, but "this is the first time I can recall where there has been community endorsement of a third-party patch," Fry says of Guilfanov's work. "That's unusual." Guilfanov, senior developer with Belgian software maker DataRescue, is best known for writing the IDA Pro software that security specialists use to dissect viruses and malware. Another unofficial patch, by a programmer at antivirus vendor Eset Software, was available Jan. 5.

Windows Meta File Flaw Response

Dec. 28
Microsoft confirms a vulnerability that could let malicious code travel via images
Dec. 30
Russian programmer Ilfak Guilfanov releases code to work around the WMF vulnerability
Jan. 4
Microsoft warns users not to apply its early patch code accidentally released at security community site
Jan. 5
Microsoft issues official WMF patch five days earlier than planned

Risks Of Unauthorized Fixes
But debate over the wisdom of using Guilfanov's Hexblog code highlights the broader issue of unauthorized third-party fixes. Complications and potential risks that could result from using a stopgap patch convinced research firm Gartner to advise against Guilfanov's solution. The SANS Institute's Internet Storm Center and security research firm F-Secure Corp., however, recommended that users not wait for Microsoft's fix. They suggested unregistering a vulnerable Dynamic Link Library, or DLL, executable program module in Windows and applying Guilfanov's workaround program.

Even if that code worked perfectly, users have had to modify their Windows environments when deploying the patch and will have to uninstall it before applying Microsoft's fix. This creates several opportunities for something to go wrong, Gartner analyst John Pescatore says. Instead, Pescatore advised companies to ensure their URL-blocking capabilities were up to date and WMF files were blocked, and to expedite testing and deployment of Microsoft's patch.

Most businesses would prefer to use an official patch rather than trust third-party offerings, which could encourage phishing scams. At one financial-services company, WMF workarounds led to wasting "countless man-hours" on measures that mitigated risk to a lesser degree than a Microsoft patch would, says the assistant VP of IT security at the company. She adds, "If a third party can put out a stable patch, Microsoft should have been able to."

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 Digital Issue, April 2015
The 27th annual ranking of the leading US users of business technology
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of April 19, 2015.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.