Citing customer demand and massive testing efforts, Microsoft Corp. eleased a patch last Thursday, several days ahead of schedule, for a vulnerability in some Windows graphics files. Our security bulletins could be released out of cycle if necessary in order to help protect our customers.Derek Wong>Text
The patch is available at this Web site.
The company was stung by criticisms last week from security experts and customers that it was too slow in releasing a fix for the Windows Meta File or WMF vulnerability discovered in December.
Company sources told IT World Canada that Microsoft staff worked relentlessly to accomplish this feat. “We took people off other projects and put them on this one,” said Derick Wong, senior security product manager at Microsoft Canada. “We had about two hundred people on the project 24/7 to make sure the fix would be up and running.”
Microsoft’s delayed response in providing a patch brought heat from security experts who said the vendor’s response was too slow. The company knew about the patch for more than a week and first said it would not provide a fix until its regular monthly patch release slated for Jan. 10. Company officials said they were reacting to “strong customer sentiment that the release should be made available as soon as possible.”
Responding to current customer demand placed the company in a double bind. According to John Weigelt, National Technology Officer at Microsoft Canada, Microsoft’s customers have in the past requested an orderly monthly update schedule so their operations folk have sufficient time to analyze and test patches.
But Wong pointed out Microsoft is prepared to make exceptions when circumstances warrant a one-off release. “We’ve been very clear that our security bulletins could be released out of cycle if necessary in order to help protect our customers if the level of awareness and malicious activities put them in harm’s way.”
Microsoft officials said when they realized there were active exploits in the wild they focused all of their security resources on developing the patch.
The threat presented by the WMF vulnerability was perceived by security experts to be so severe that The SANS Institute, a security organization in Bethesda, ML, that monitors Internet threats, took the unusual step of offering a WMF patch of its own for Windows XP and Windows 2000. Security applications vendor Eset Software in Coronado, Calif. also jumped in with a WMF patch of its own.
Microsoft said during the Web cast that the vulnerability was rated critical for Windows 2000 SP4, XP SP1 and SP2, Windows Server 2003 and Server 2003 SP1. It was not rated critical for Windows 98, 98 SE or ME.
While Microsoft does not bind users to any contractual limitation on using third-party patches, the company urged users to wait for its official patch.
“We looked at the SANS patch, but we had not given it the thorough analysis or review that would have put us in a position to qualify it in any way,” said Fry Wilson, a director in Microsoft’s Security Response Center. She also said timing on the patch was driven by Microsoft’s research that showed attacks were not spreading rapidly.
“We have been very consistent, although this is a serious issue, it is not of the nature of a worm. It does require user interaction,” said Wilson. She said Microsoft has been tracking WMF exploits using its own anti-virus engine, forensic analysis and help from its anti-virus partners.
“When the incident is completed and all the data is in the evidence will show, that although this was a serious issue, it was not something on the scale that has been reported by some commentators in the industry,” said Wilson.
Corporate users running Windows Server Update Services will receive the update automatically. Microsoft said the update is supported by Microsoft Baseline Security Analyzer 2.0, Systems Management Server, and Software Update Services. Corporate users also can manually download the patch from here.
Consumers who use Automatic Updates will receive the update automatically. Users also can manually download the update from Microsoft Update or Windows Update.
