WMF patch released early
Bucking standard operating procedure, Microsoft released a patch Thursday for the recently exposed meta file vulnerability on numerous operating systems.
The security bulletin, MS06-001, was available for download at 5 p.m. EST. Microsoft had planned to release the patch five days later.
The Redmond, Wash., company said it made the patch available early partially because of public concerns.
"Microsoft originally planned to release the update on Tuesday, Jan. 10, 2006, as part of its regular monthly release of security bulletins, after testing for quality and application compatibility was complete," the company said in a statement on its website. "However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."
Microsoft first advised users last month to maintain antivirus services and apply the work-around it recommended.
Malicious users have set up attack websites to exploit the image vulnerability, from which they can execute arbitrary code, cause a denial of service condition or take complete control of an infected PC, the U.S. Computer Emergency Readiness Team and multiple security firms warned late last month.
Microsoft also announced a special Friday webcast to provide technical details about MS06-001.
Microsoft warned users not to visit unfamiliar websites and said it still does not believe hackers are taking widespread advantage of the flaw.
"Microsoft's monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft's efforts to shut down malicious websites and by up-to-date signatures from antivirus companies," the company said.
A pre-release version of the patch was briefly leaked to the public on a weblog earlier this week.
Mike Reavy, of Microsoft's Security Response Center, said the leak was unintentional.
"In our effort to put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site," he said. "There has been some discussion and pointers on subsequent sites to the pre-release code."
On Jan. 10, Microsoft is still planning to release a security bulletin for Windows with a "critical" rating, a security bulletin for Microsoft Exchange and Office and an updated version of its malicious software removal tool.
Some experts had advised users to download an unofficial patch from Russian computer scientist Ilfak Guilfanov, which can be downloaded at http://www.hexblog.com.