Microsoft pushes out Windows patch ahead of time

Microsoft released a fix for a serious security vulnerability in Windows on Thursday, several days before the patch's scheduled delivery.

The company is breaking with its monthly patch cycle because it completed testing of the security update earlier than it anticipated, it said in a note on its Web site. "In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible," the company said.

Security bulletin MS06-001, originally scheduled for Tuesday, is the first security bulletin of this year and fixes a vulnerability in the way Windows renders Windows Meta File images. The bug was discovered last week and is increasingly being used in what Microsoft calls "malicious and criminal attacks on computer users."

Related story
Too little, too late?

Critics say Microsoft is fiddling while a Windows flaw spawns new attacks.

Critics had called for Microsoft to release the patch as soon as possible. With people unable to patch their systems, the flaw could provide an opportunity for cybercriminals to launch increasingly sophisticated attacks on users, they have said.

Some security experts, in an unusual move, even recommended that users apply a third-party patch developed by European programmer Ilfak Guilfanov.

The MS06-001 update was released 10 days after Microsoft learned of the vulnerability, the fastest turnaround ever for a Microsoft patch, company representatives said.

Threat under control?
Microsoft does not know of any widespread attacks on Windows users, but it urges customers to upgrade and deems the issue "critical."

"Although the attacks based on WMF are very real, and the exploitation and the threats are evolving on a very fast basis, our analysis is consistent that the infection rate is low to moderate," Debby Fry Wilson, a director in Microsoft's Security Response Center, said in an interview. "However, the threat is very real, and customers should take the action of deploying this update as soon as possible."

But others say Windows users face an onslaught of attacks. Security monitoring company Websense said it has identified thousands of Web sites that attempt to exploit the flaw. Additionally, instant messaging worms, Trojan horses and spammed e-mails with malicious image attachments have surfaced, experts have said.

Also, hackers have been quick to craft tools that make it easy to create malicious image files that advantage of the flaw, experts said. These new files can then be used in attacks. The tools themselves can be downloaded from the Internet.

One security expert applauded Microsoft for releasing the fix early. "Everybody was hoping they would get the patch out before a major attack would start," said Mikko Hypponen, chief research officer at security company F-Secure. "Now it looks like they are succeeding in doing just that. Well done."

F-Secure said in its company blog that it has tested the patch and it appears to coexist with the Guilfanov fix.

Susan Bradley, network administrator at Tamiyasu Smith Horn and Braun, an accountancy firm in Fresno, Calif., said she plans to start testing the Microsoft patch now and deploy it Friday night. "Microsoft listened, and I could give them a hug for that," she said.

No fix for Windows 98, ME
Also on Thursday, Microsoft said that older versions of Windows are immune to the latest wave of attacks targeting the operating system.

While Windows 2000, Windows XP and Windows Server 2003 are vulnerable, Windows 98 and Windows Millennium Edition are not exposed to the same threats that exploit the WMF flaw, according to an update to a Microsoft security advisory on the issue.

Microsoft also initially listed the older versions of the operating system as equally vulnerable, but has now backpedaled on that, giving users of older Windows versions a reprieve.

"Although Windows 98, Windows 98 Second Edition and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a critical severity rating for these versions," the company said in its updated advisory.

The WMF code in the older versions of Windows isn't flawless, but the vulnerability is much harder to exploit, said Mike Reavey, an operations manager at the Microsoft Security Response Center.

"There are a lot of mitigating factors, a lot of initial user action," he said. "It is a much different attack. You may be eventually able to get to the code, but it certainly would not be on the level of critical."

Hypponen also said that the older Windows versions are not currently under attack. "Although the WMF bug is there (in the older versions), there's no known code at the moment to exploit it," he said.

Still, releasing a patch for Windows 98 and Windows ME would be the right thing to do, said Mike Murray, director of vulnerability and exposure research at nCircle in San Francisco. "Even Microsoft acknowledges that the vulnerability exists in those OSes, (so) someone will figure out how to exploit it," he said.

By not fixing the older versions of Windows, Microsoft is leaving its customers out in the cold, Murray said. "In a way, they are forcing customers to upgrade, saying that you can continue to use those older operating systems if you want to be vulnerable," he said.

In more bad news for vulnerable PCs, Microsoft warned of another way for attackers to use the flaw--via a malicious image embedded in a Microsoft Office document. The company previously said that an attack could only occur if a user visited a Web site containing a malicious image or opened such a file attached to an e-mail.

Because the issue is not deemed critical for Windows 98 and ME, Microsoft no longer plans to issue a security fix for these OSes. "Per the support life cycle of these versions, only vulnerabilities of critical severity would receive security updates," the company said.

[raitchison]

They are still releasing patches next Tuesday as planned

We will likely hold off on installing this so we don't have to deal with two sets of patch deployments in the span of a week.

[techguy83]

well you know

everyone was yelling at them to get it out, get it out, get it out.

Now, I wonder how many of those who were yelling that are now going to turn around and say: " We'll just wait until Tuesday so that we don't have to deal with 2 patch cycles."

Not that I'm saying you were one of the ones yelling :)

I just remember some of the other posts in the other stories on this issue.

[n3td3v]

Thanks Microsoft Security Response Team

I would like to thank Chris at Microsoft Security Response Center for responding to my e-mail to call for the bringing forward of this patch before the end of the week. It made sense, especially after the distinct threat of a third party patch trend. A trend that would have brought a real danger for the future. Take care, until next time ;-)

fantasy land

so you're saying until you wrote them, they didn't see a need to push the release of this fix to today? If that is indeed what you are implying, that's very sad. If you're just wrong, but you want to take some credit for this, well... that's probably just as sad, but in a different way.

[raitchison]

That's a good point

I wonder if Microsoft would have released the patch early if there were not a third party patch out there that people were installing.

[techguy83]

probably not

but I agree that a trend of thrid party patches would be a bad idea. It would hurt the computer industry tremdously.

I can see it now.

A flaw is announced in some OS. Developers rush to beat each other to the market with a patch that works, to gain their 15 minutes of fame. Chaos would be the result.

[rcrusoe]

Any more backdoors in Windows?

I wonder how many more backdoors have been in Windows all
these years?