informa
/
3 min read
article

Oops! Windows Metafile Patch Leaks To The Web

In its rush to put a patch for Windows' newest vulnerability through its paces, Microsoft accidentally released a preliminary version of the fix to the Web.
In its rush to put a patch for Windows' newest vulnerability through its paces, Microsoft accidentally released a preliminary version of the fix to the Web, the company confirmed Wednesday.

The Redmond, Wash.-based developer's security research center (MSRC) acknowledged the goof in a blog entry by operations manager Mike Reavey.

"In our effort to put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site," wrote Reavey. "There has been some discussion and pointers on subsequent sites to the pre-release code…[but] we recommend that customers disregard the postings."

The leak, as well as comments made by other Microsoft executives Wednesday, supports the company's contention that the planned patch is completed, and gives credence to the idea that although it remains in testing pending the already-announced Tuesday, Jan. 10 release date, it could be released earlier if necessary.

Steve Gibson, president of Gibson Research, downloaded the pre-release patch and tested it. "The updated GDI32.DLL file contained in this patch was built in the evening of December 28th, last Wednesday," wrote Gibson in an alert on his Web site. "It is clear that Microsoft jumped on this problem — and had it resolved — almost immediately."

Some security professionals have taken Microsoft to task for not releasing a fix faster, but the company maintains that it needs time to properly test the update against various versions of Windows to make sure it doesn't break Microsoft's or others' applications.

That doesn't mean Microsoft couldn't roll out the fix ASAP if it wanted to.

"We're on schedule to release [our patch] Jan. 10," said Debbie Fry Wilson, a MSRC director, in an interview Wednesday. "But if the situation in the wild changes, and the data and analysis we have on the rate of spread [of exploits] changes from what we know today, we would release it out-of-cycle."

According to Gibson, the Microsoft fix works smoothly with the unsanctioned patch from reverse-engineering guru Ilfak Guilfanov.

"Ilfak's WMF vulnerability suppression patch, and his WMF vulnerability testing utility both interact smoothly and seamlessly with Microsoft's forthcoming official security update," Gibson wrote. "Ilfak's code can be left running while installing Microsoft's security update, then safely removed once the system has rebooted from the update."

Interestingly, Guilfanov's hotfix has come under fire from Microsoft, which has recommended that users avoid it, even as the company's own patch plays nice with the third-party hot fix.

"You may use Ilfak's solutions while Microsoft completes their extensive compatibility and regression testing for this forthcoming security update," claimed Gibson. "Once the update is ready, install Microsoft's update, then safely remove Ilfak's patcher."