Microsoft releases WMF patch

Microsoft released a patch for the Windows WMF (Windows Meta File) flaw at 5 p.m. Eastern time Thursday in response to what it described as “strong consumer sentiment” for an early fix to the problem.

Enterprise customers who are using Windows Server Update Services will receive the update automatically, the company said in a statement this afternoon. Manual downloads are now available at http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx.

In addition, the update is supported by Microsoft Baseline Security Analyzer 2.0, Systems Management Server and Software Update Services, the company said. Individual users who use Automatic Updates will receive the patch automatically.

Microsoft had originally said it would release the patch next Tuesday as part of its regularly scheduled monthly updates. But the company has been under mounting pressure from users and security analysts in the wake of a growing number of attack methods targeting the flaw. Those attack methods became more numerous over the past few days.

“Microsoft will continue to monitor attack data, which has thus far indicated that the attacks exploiting this vulnerability are limited and mitigated by efforts to shut down malicious Web sites and with up-to-date signatures from antivirus solutions,” the company said in its statement.

In addition to the patch for the WMF flaw being released, Microsoft will also release a security bulletin detailing updates for flaws in Windows, Exchange and Office products that will be released on Jan 10. The maximum severity rating for the flaws described in these bulletins is critical, the company said in an advance notification released today.

The company will also release an updated version of its malicious-code-removal tool on Tuesday as part of its monthly security updates.

Johannes Ullrich, chief technology officer at the SANS Internet Storm Center (ISC) in Bethesda, Md., said his company has tested the patches and they appear to be working fine.

“It’s really good of Microsoft to have released the patches so quickly,” said Ullrich, whose organization had been recommending that companies download a third-party patch released by a Belgian security expert instead of waiting for Microsoft’s scheduled Jan. 10 update.

“So far as we can tell, the [third-party] patch does not interfere with Microsoft’s patch,” Ullrich said. But it is better for those who have installed the unofficial patch to uninstall it after they have implemented the Microsoft patch, he said.

“It can only hurt at that point” to have both patches, Ullrich said, adding that SANS's ISC has posted details on its Web site telling users who may have installed any of the earlier patches or work-arounds how to update to the official Microsoft release.