Microsoft pushes out Windows patch ahead of time

Flaw that has spawned several attacks gets fixed Thursday, after the company comes under criticism.

Microsoft released a fix for a serious security vulnerability in Windows on Thursday, several days before the patch's scheduled delivery.

The company is breaking with its monthly patch cycle because it completed testing of the security update earlier than it anticipated, it said in a note on its Web site. "In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible," the company said.

Security bulletin MS06-001, originally scheduled for Tuesday, is the first security bulletin of this year and fixes a vulnerability in the way Windows renders Windows Meta File images. The bug was discovered last week and is increasingly being used in what Microsoft calls "malicious and criminal attacks on computer users."

Critics had called for Microsoft to release the patch as soon as possible. With people unable to patch their systems, the flaw could provide an opportunity for cybercriminals to launch increasingly sophisticated attacks on users, they have said.

Some security experts, in an unusual move, even recommended that users apply a third-party patch developed by European programmer Ilfak Guilfanov.

The MS06-001 update was released 10 days after Microsoft learned of the vulnerability, the fastest turnaround ever for a Microsoft patch, company representatives said.

Threat under control?
Microsoft does not know of any widespread attacks on Windows users, but it urges customers to upgrade and deems the issue "critical."

"Although the attacks based on WMF are very real, and the exploitation and the threats are evolving on a very fast basis, our analysis is consistent that the infection rate is low to moderate," Debby Fry Wilson, a director in Microsoft's Security Response Center, said in an interview. "However, the threat is very real, and customers should take the action of deploying this update as soon as possible."

But others say Windows users face an onslaught of attacks. Security monitoring company Websense said it has identified thousands of Web sites that attempt to exploit the flaw. Additionally, instant messaging worms, Trojan horses and spammed e-mails with malicious image attachments have surfaced, experts have said.

Also, hackers have been quick to craft tools that make it easy to create malicious image files that advantage of the flaw, experts said. These new files can then be used in attacks. The tools themselves can be downloaded from the Internet.

One security expert applauded Microsoft for releasing the fix early. "Everybody was hoping they would get the patch out before a major attack would start," said Mikko Hypponen, chief research officer at security company F-Secure. "Now it looks like they are succeeding in doing just that. Well done."

F-Secure said in its company blog that it has tested the patch and it appears to coexist with the Guilfanov fix.

Susan Bradley, network administrator at Tamiyasu Smith Horn and Braun, an accountancy firm in Fresno, Calif., said she plans to start testing the Microsoft patch now and deploy it Friday night. "Microsoft listened, and I could give them a hug for that," she said.

No fix for Windows 98, ME
Also on Thursday, Microsoft said that older versions of Windows are immune to the latest wave of attacks targeting the operating system.

While Windows 2000, Windows XP and Windows Server 2003 are vulnerable, Windows 98 and Windows Millennium Edition are not exposed to the same threats that exploit the WMF flaw, according to an update to a Microsoft security advisory on the issue.

Microsoft also initially listed the older versions of the operating system as equally vulnerable, but has now backpedaled on that, giving users of older Windows versions a reprieve.

"Although Windows 98, Windows 98 Second Edition and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a critical severity rating for these versions," the company said in its updated advisory.

The WMF code in the older versions of Windows isn't flawless, but the vulnerability is much harder to exploit, said Mike Reavey, an operations manager at the Microsoft Security Response Center.

"There are a lot of mitigating factors, a lot of initial user action," he said. "It is a much different attack. You may be eventually able to get to the code, but it certainly would not be on the level of critical."

Hypponen also said that the older Windows versions are not currently under attack. "Although the WMF bug is there (in the older versions), there's no known code at the moment to exploit it," he said.

Still, releasing a patch for Windows 98 and Windows ME would be the right thing to do, said Mike Murray, director of vulnerability and exposure research at nCircle in San Francisco. "Even Microsoft acknowledges that the vulnerability exists in those OSes, (so) someone will figure out how to exploit it," he said.

By not fixing the older versions of Windows, Microsoft is leaving its customers out in the cold, Murray said. "In a way, they are forcing customers to upgrade, saying that you can continue to use those older operating systems if you want to be vulnerable," he said.

In more bad news for vulnerable PCs, Microsoft warned of another way for attackers to use the flaw--via a malicious image embedded in a Microsoft Office document. The company previously said that an attack could only occur if a user visited a Web site containing a malicious image or opened such a file attached to an e-mail.

Because the issue is not deemed critical for Windows 98 and ME, Microsoft no longer plans to issue a security fix for these OSes. "Per the support life cycle of these versions, only vulnerabilities of critical severity would receive security updates," the company said.