January 4, 2006 1:36 PM PST

Microsoft inadvertently leaks WMF patch

An early version of a security fix for a Windows flaw that is being used as a conduit for cyberattacks was prematurely posted online by a Microsoft employee.

The fix was briefly posted on a security community Web site, Debby Fry Wilson, a director in Microsoft's Security Response Center, said on Wednesday. Copies of the file have since been posted online elsewhere, but Microsoft recommends that customers wait for the final version in its monthly security release on Jan. 10, she said.

"It really was an inadvertent thing that happened," Fry Wilson said. "We have the security update on a fast track...(and) somebody accidentally posted a prerelease version on a community site. It has been taken down, and we don't recommend customers use it--it is not the version that we will be releasing on Tuesday."

The fix is designed to repair a flaw in the way Windows renders Windows Meta File images. The bug was discovered last week and is being exploited in attacks that compromise a vulnerable PC if the user visits a Web site with a malicious image file.

Related story
Too little, too late?
Critics say Microsoft is fiddling while a Windows flaw spawns new attacks

Security experts have urged Microsoft to rush the patch because of the onslaught of attacks. More than a million PCs have already been compromised, according to Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. There are thousands of malicious Web sites, as well as Trojan horses and at least one instant messaging worm, that use the WMF flaw as a conduit, other experts have said.

Microsoft said it hasn't seen many attacks on its customers. The company plans to issue the final version of its fix on Tuesday, its next official patch release day, Fry Wilson said.

"We have to weigh putting out a partially tested update against the severity of the attack," she said. "If customers are being attacked in large numbers, then we will go ahead and put out the update as we have it, so that customers can be protected, even though it might break things."

A patch may turn out to have side effects, even if it has undergone full testing. Microsoft has had problems in the past, most recently with an Internet Explorer update in December.

Microsoft's fix appears to be nearly done, said Steve Gibson, the president of Gibson Research in Laguna Hills, Calif. "It works great," said Gibson, who downloaded the file and tested it. It even works with a patch developed by European programmer Ilfak Guilfanov, he said.

After examining the software, Gibson believes Microsoft could push out the fix before Patch Tuesday.

"They obviously already have it packaged and ready to go," he said. However, there are reasons for Microsoft to hold off. "Major corporate users very much dislike randomly timed patch releases, since it is deeply disruptive of everything else that's going on," he added.

8 comments

Join the conversation!
Add your comment
Hmmm, fishy!
Is it just a coincedence that Microsoft's patch is leaked as people started using 3rd party patch?

I wonder!
Posted by baloushi (7 comments )
Reply Link Flag
It was an accident.
And nobody can prove otherwise.
Posted by System Tyrant (1453 comments )
Link Flag
Nice going, MS
This premature fix would probably open the door for other flaws to be exploited, which would require another patch for a patch.
__________________________________
R.K.
<a class="jive-link-external" href="http://www.Remove-All-Spyware.com/" target="_newWindow">http://www.Remove-All-Spyware.com/</a>
Posted by Roman12 (214 comments )
Reply Link Flag
Annoying
Is anyone else annoyed by the thought that millions of home Windows users could be exposed to risk at least in part because corporate customers don't like out-of-cycle updates?

The whole logic behind that process seems idiotic to me. Here's a thought: If you only want to install patches once a month, then do so. If a patch comes out during the timeframe when you have "other things" going on, then IGNORE IT until your schedule dictates that it should be installed.

But why whine, and make millions of users wait?
Posted by TimeBomb (70 comments )
Reply Link Flag
How about....
How about you don't believe everything you read. Notice that the alleged "reason" comes from an outside company and not Microsoft. Microsoft,through their security bulletins, have clearly stated why they are waiting to release the patch.
Posted by robertcampbell2 (103 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.