X

Microsoft inadvertently leaks WMF patch

Company, under fire over timing of fix for a serious Windows flaw, pulls early version of patch off the Web.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
See full bio
Joris Evers
2 min read
An early version of a security fix for a Windows flaw that is being used as a conduit for cyberattacks was prematurely posted online by a Microsoft employee.

The fix was briefly posted on a security community Web site, Debby Fry Wilson, a director in Microsoft's Security Response Center, said on Wednesday. Copies of the file have since been posted online elsewhere, but Microsoft recommends that customers wait for the final version in its monthly security release on Jan. 10, she said.

"It really was an inadvertent thing that happened," Fry Wilson said. "We have the security update on a fast track...(and) somebody accidentally posted a prerelease version on a community site. It has been taken down, and we don't recommend customers use it--it is not the version that we will be releasing on Tuesday."

The fix is designed to repair a flaw in the way Windows renders Windows Meta File images. The bug was discovered last week and is being exploited in attacks that compromise a vulnerable PC if the user visits a Web site with a malicious image file.

Security experts have urged Microsoft to rush the patch because of the onslaught of attacks. More than a million PCs have already been compromised, according to Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. There are thousands of malicious Web sites, as well as Trojan horses and at least one instant messaging worm, that use the WMF flaw as a conduit, other experts have said.

Microsoft said it hasn't seen many attacks on its customers. The company plans to issue the final version of its fix on Tuesday, its next official patch release day, Fry Wilson said.

"We have to weigh putting out a partially tested update against the severity of the attack," she said. "If customers are being attacked in large numbers, then we will go ahead and put out the update as we have it, so that customers can be protected, even though it might break things."

A patch may turn out to have side effects, even if it has undergone full testing. Microsoft has had problems in the past, most recently with an Internet Explorer update in December.

Microsoft's fix appears to be nearly done, said Steve Gibson, the president of Gibson Research in Laguna Hills, Calif. "It works great," said Gibson, who downloaded the file and tested it. It even works with a patch developed by European programmer Ilfak Guilfanov, he said.

After examining the software, Gibson believes Microsoft could push out the fix before Patch Tuesday.

"They obviously already have it packaged and ready to go," he said. However, there are reasons for Microsoft to hold off. "Major corporate users very much dislike randomly timed patch releases, since it is deeply disruptive of everything else that's going on," he added.