Wait for Windows patch opens attack window

Microsoft is still working on a fix for a serious flaw in its OS, leaving people to face a week of increasingly sophisticated attacks.

A serious flaw in Windows is generating a rising number of cyberattacks, but Microsoft says it won't deliver a fix until next week.

That could be too late, security experts said. The vulnerability, which lies in the way the operating system renders Windows Meta File images, could infect a PC if the victim simply visits a Web site that contains a malicious image file. Consumers and businesses face a serious risk until it's fixed, experts said.

"This vulnerability is rising in popularity among hackers, and it is simple to exploit," said Sam Curry, a vice president at security vendor Computer Associates International. "This has to be taken very seriously, and time is of the essence. A patch coming out as soon as possible is the responsible thing to do."


What's new:
Microsoft says customers will have to wait till next week for a patch for a Windows Meta File flaw that has opened the door to a flood of cyberattacks.

Bottom line:
The delay will leave businesses and consumers unprotected during seven days of attacks that promise to become increasingly sophisticated, experts warn.

More stories on this topic

Microsoft has come under fire in the past for the way it releases security patches. The company has responded in the past by instituting a monthly patching program, so system administrators could plan for the updates. Critics contend that in high-urgency cases such as the WMF flaw, Microsoft should release a fix outside of its monthly schedule.

Details on the WMF security problem were publicly reported last week. Since then, a number of attacks that take advantage of the flaw have surfaced, including thousands of malicious Web sites, Trojan horses and at least one instant messaging worm, according to security reports.

More than a million PCs have already been compromised, said Andreas Marx, an antivirus software specialist at the University of Magdeburg in Germany. He has found a hidden Web site that shows how many copies of a program that installs malicious software have been delivered to vulnerable PCs.

Microsoft has said that a patch will not be made available until Jan. 10, its next official patch release day. That delay could provide an opportunity for attackers, security provider Symantec said on Tuesday.

"There is a potential 7-day window for which attackers could exploit this issue in a potentially widespread and serious fashion," Symantec said in a notice sent to subscribers of its DeepSight alert service.

Hackers have been quick to craft tools that make it easy to create malicious image files that advantage of the flaw, experts said. These new files can then be used in attacks. The tools themselves can be downloaded from the Internet.

Click for photos

Many of the attacks today use the unpatched bug to attempt to install unwanted software, such as spyware and programs that display pop-up advertising, on Windows PCs. The flaw affects all current versions of the operating system, and a vulnerable system can be attacked simply if the user views a specially crafted image, according to a Microsoft security advisory.

In most cases, the attacks require a user to visit a malicious Web site, but the schemes are likely to become more sophisticated, antivirus specialist Marx said.

"I'm sure it's just a matter of days until the first (self-propagating) WMF worm will appear," he said. "A patch is urgently needed."

Microsoft is urging people to be cautious when surfing the Web. "Users should take care not to visit unfamiliar or un-trusted Web sites that could potentially host the malicious code," it said in its advisory.

But most ordinary PC owners simply aren't aware of this type of threat, said Stacey Quandt, an analyst with the Aberdeen Group. "There are a lot of Windows users who aren't paranoid enough about never clicking on an unknown link," she said.

Patch ahoy
Microsoft has completed a fix for the problem and is currently testing and localizing the update into 23 languages, the software maker said in its advisory, updated on Tuesday. "Microsoft's goal is to release the update on Tuesday, Jan. 10, 2006, as part of its monthly release of security bulletins," the company said.

To protect Windows users, Microsoft shouldn't wait, but release the patch now, several critics said.

"The flaw is actively exploited on multiple sites, and antivirus provides only limited protection," said Johannes Ullrich, the chief research officer at the SANS Institute. "Active use of an exploit without sufficient mitigating measures should warrant the early release of a patch, even a preliminary, not fully tested patch."

Featured Video