Microsoft has released a patch for the critical Windows Metafile Format (WMF) security hole in its graphics rendering engine today, four days sooner than it said. The WMF vulnerability has been known since mid December last year, but Microsoft earlier said it wouldn't have a patch ready until January 10.
However, Brett Roberts, chief technology officer at Microsoft New Zealand, says the quality assurance and compatibility testing for the patch went faster than expected so the software vendor released fix to Windows Update early this morning. Roberts says building and testing the patches is "a major engineering exercise" and that Microsoft put several hundred people working round the clock on sorting out the WMF vulnerability.
The WMF issue affects all versions of Windows and allows an attacker to execute arbitrary code on users' machines without any interaction. Windows will attempt to read WMF graphics files renamed with different extensions leaving people vulnerable to exploits through malicious web pages and email attachments. Anti-spam organisation Spamhaus is currently listing a number of sites set up to exploit the WMF vulnerability, but Roberts says the number of machines actually cracked is minimal. Microsoft bases this on information provided through its OneCare security software and data from large antivirus vendors, Roberts says.
Microsoft's patch works for Windows 2000 Service Pack 4, XP SP1, SP2 and X64 Edition, as well as the Windows Server family of operating systems. Windows 98 and Millennium Edition contain the same WMF component but Microsoft says on these earlier systems the vulnerability isn't critical and hasn't released a patch for them.
As Microsoft was perceived to drag its heels on issuing a patch for the critical vulnerability, Ilfak Guilfanov, a Russian programmer with Belgian software analysts DataRescue, released an unsupported hotfix for WMF hole which some in the security community urged users to install. Microsoft also issued a workaround which could be used to de-register the vulnerable Dynamic Link Library, shimgvw.dll, but this broke Windows Fax previewer.
For more details, see:
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)
Roberts adds that Microsoft will hold a webcast for IT professionals this Friday about the WMF security issue. To register for the webcast, go here.