Facing mounting pressure for a patch to the Windows Meta File vulnerability, Microsoft issued a fix on Jan. 5, five days earlier than expected. Besides calming fears that attackers could use WMF images to execute malicious code on victims' PCs, Microsoft hoped to quell a controversy over the use of unauthorized patches with its software.

A piece of code written by Russian programmer Ilfak Guilfanov--and endorsed by some security experts--to protect computers against WMF exploits reached unprecedented popularity for a third-party fix. It also sparked controversy over whether users were better served waiting for Microsoft or trusting an unauthorized patch. The vulnerability stems from how attackers could use the Windows' graphics rendering engine that handles Windows Meta File images to launch malicious code on users' computers via these images. Microsoft acknowledged the vulnerability on Dec. 28 but said it wouldn't make a fix available until Jan. 10, which would have given hackers 13 days to get creative embedding attacks within WMF images. The bug spurred more than 200 exploits as of last week, according to security firm Sophos plc.

Microsoft issues emergency patches only under certain circumstances. It initially decided the WMF vulnerability wasn't an emergency: Its infection rate had stabilized and the risk of infection was ranked as low to moderate, according to Debby Fry Wilson, a director in Microsoft's security-response unit. But by Thursday, Microsoft completed and released a patch, forgoing its original plan to issue a fix on the second Tuesday of the month, in keeping with its regular schedule of security updates.

Third-party patches and workaround code aren't unheard of for Microsoft software vulnerabilities, but "this is the first time I can recall where there has been community endorsement of a third-party patch," Fry says of Guilfanov's work. "That's unusual." Guilfanov, senior developer with Belgian software maker DataRescue, is best known for writing the IDA Pro software that security specialists use to dissect viruses and malware. Another unofficial patch, by a programmer at antivirus vendor Eset Software, was available Jan. 5.

Windows Meta File Flaw Response

Dec. 28 Microsoft confirms a vulnerability that could let malicious code travel via images Dec. 30 Russian programmer Ilfak Guilfanov releases code to work around the WMF vulnerability Jan. 4 Microsoft warns users not to apply its early patch code accidentally released at security community site Jan. 5 Microsoft issues official WMF patch five days earlier than planned

Risks Of Unauthorized Fixes
But debate over the wisdom of using Guilfanov's Hexblog code highlights the broader issue of unauthorized third-party fixes. Complications and potential risks that could result from using a stopgap patch convinced research firm Gartner to advise against Guilfanov's solution. The SANS Institute's Internet Storm Center and security research firm F-Secure Corp., however, recommended that users not wait for Microsoft's fix. They suggested unregistering a vulnerable Dynamic Link Library, or DLL, executable program module in Windows and applying Guilfanov's workaround program.

Even if that code worked perfectly, users have had to modify their Windows environments when deploying the patch and will have to uninstall it before applying Microsoft's fix. This creates several opportunities for something to go wrong, Gartner analyst John Pescatore says. Instead, Pescatore advised companies to ensure their URL-blocking capabilities were up to date and WMF files were blocked, and to expedite testing and deployment of Microsoft's patch.

Most businesses would prefer to use an official patch rather than trust third-party offerings, which could encourage phishing scams. At one financial-services company, WMF workarounds led to wasting "countless man-hours" on measures that mitigated risk to a lesser degree than a Microsoft patch would, says the assistant VP of IT security at the company. She adds, "If a third party can put out a stable patch, Microsoft should have been able to."