Get Smart about Business Spending
- Related Stories
-
Beating Microsoft to the punch
January 4, 2006 -
Wait for Windows patch opens attack window
January 3, 2006 -
Windows flaw spawns dozens of attacks
January 3, 2006 -
Trojan delivers unwanted gift to Windows PCs
December 28, 2005
The fix was briefly posted on a security community Web site, Debby Fry Wilson, a director in Microsoft's Security Response Center, said on Wednesday. Copies of the file have since been posted online elsewhere, but Microsoft recommends that customers wait for the final version in its monthly security release on Jan. 10, she said.
"It really was an inadvertent thing that happened," Fry Wilson said. "We have the security update on a fast track...(and) somebody accidentally posted a prerelease version on a community site. It has been taken down, and we don't recommend customers use it--it is not the version that we will be releasing on Tuesday."
The fix is designed to repair a flaw in the way Windows renders Windows Meta File images. The bug was discovered last week and is being exploited in attacks that compromise a vulnerable PC if the user visits a Web site with a malicious image file.
Too little, too late?
Security experts have urged Microsoft to rush the patch because of the onslaught of attacks. More than a million PCs have already been compromised, according to Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. There are thousands of malicious Web sites, as well as Trojan horses and at least one instant messaging worm, that use the WMF flaw as a conduit, other experts have said.
Microsoft said it hasn't seen many attacks on its customers. The company plans to issue the final version of its fix on Tuesday, its next official patch release day, Fry Wilson said.
"We have to weigh putting out a partially tested update against the severity of the attack," she said. "If customers are being attacked in large numbers, then we will go ahead and put out the update as we have it, so that customers can be protected, even though it might break things."
A patch may turn out to have side effects, even if it has undergone full testing. Microsoft has had problems in the past, most recently with an Internet Explorer update in December.
Microsoft's fix appears to be nearly done, said Steve Gibson, the president of Gibson Research in Laguna Hills, Calif. "It works great," said Gibson, who downloaded the file and tested it. It even works with a patch developed by European programmer Ilfak Guilfanov, he said.
After examining the software, Gibson believes Microsoft could push out the fix before Patch Tuesday.
"They obviously already have it packaged and ready to go," he said. However, there are reasons for Microsoft to hold off. "Major corporate users very much dislike randomly timed patch releases, since it is deeply disruptive of everything else that's going on," he added.
See more CNET content tagged:
Gibson Research, Microsoft Windows Metafile, fix, attack, patch
I wonder!
__________________________________
R.K.
http://www.Remove-All-Spyware.com/
- Annoying
- by TimeBomb January 4, 2006 9:17 PM PST
- Is anyone else annoyed by the thought that millions of home Windows users could be exposed to risk at least in part because corporate customers don't like out-of-cycle updates?
- Like this Reply to this comment
-
-
- How about....
- by robertcampbell2 January 5, 2006 5:13 AM PST
- How about you don't believe everything you read. Notice that the alleged "reason" comes from an outside company and not Microsoft. Microsoft,through their security bulletins, have clearly stated why they are waiting to release the patch.
- Like this View reply
Processing -
(8 Comments)The whole logic behind that process seems idiotic to me. Here's a thought: If you only want to install patches once a month, then do so. If a patch comes out during the timeframe when you have "other things" going on, then IGNORE IT until your schedule dictates that it should be installed.
But why whine, and make millions of users wait?