Amid growing consumer concern and increasing media attention,Microsoft yesterday did something rather rare: It released an out-of-cycle patch.
The company issued the fix for the zero-day Metafile vulnerability five days ahead of schedule. The hole is related to Windows metafiles (WMF), which are image files used by popular applications, such as Microsoft Word. So far, WMF exploits typically have been used to install spyware and adware.
The vulnerability applies to all the main versions of Windows: Windows ME, Windows 2000, Windows XP and Windows 2003, Microsoft confirmed. This means there are hundreds of millions of vulnerable computers.
Strong Customer Sentiment
Microsoft has been working on the patch, labeled MS06-001, since last week, but made no formal announcement that a release would be coming in advance of Patch Tuesday. In fact, Microsoft had said it would not release a fix ahead of schedule, spurring code writers to look for workarounds to the plague-like attack.
Testing for quality and application compatibility was completed earlier than anticipated, Microsoft said. It released the update early “in response to strong customer sentiment that the release should be made available as soon as possible,” according to a company statement.
Microsoft’s monitoring of attack data continues to indicate that the attacks are limited, the company said, and are being mitigated both by its efforts to shut down malicious Web sites and by up-to-date signatures from anti-virus companies.
Not Out of the Woods
However, the Metasploit Project has an improved exploit for this WMF vector that further evades detection on both the network and application layer solutions to date, Ken Dunham, a senior engineer with Reston, Va.-based VeriSign iDefense, told TechNewsWorld.
The detection capabilities of anti-virus software continue to improve, but some companies and products still struggle to provide comprehensive protection against emerging WMF threats, he said. In fact, Dunham reported that Microsoft identified Word as a possible vector of attack, where a hostile WMF filemay be embedded into a document.
“Development of improved exploit codes continues, with updates being made to Metasploit Project and other tools,” Dunham said. “Even though a patch is now out for the WMF vulnerability, all indicators strongly suggest that WMF exploitation will be a persistent long-term vector of attack for adware,spyware and Trojan attacks. Targeted attackers may try to leverage a hostile embedded WMF inside of a Microsoft Word file in future attacks.”
Patch Tuesday Coming
Customers who use Automatic Updates will receive the update automatically and do not need to take any additional actions, Microsoft said. Customers can also manually download and deploy the update by visiting Microsoft Update or Windows Update.
In addition to deploying MS06-001, users should take care not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code, Microsoft warned.
Microsoft will be releasing additional security updates on Tuesday, Jan. 10, as part of its regularly scheduled release of security updates.