Microsoft Releases WMF Patch Early

Even a titan can move quickly when it has to: Microsoft has released a security patch purporting to fix a critical security flaw in rendering WMF images. The problem goes all the way back to Windows 98, and, unlike many previous security vulnerabilities, could potentially be exploited if a user simply viewed a malicious image on a Web site or in an email message.

The security flaw was discovered last week, and involves rendering of Windows Metafile (WMF) graphical images: if an image were maliciously constructed to contain particular escape codes, simply displaying the image on a vulnerable Windows system could let an attacker run arbitrary code, potentially taking over the machine, compromising the user’s privacy, and obtaining sensitive information. Microsoft says attempts to exploit the flaw have appeared on the Internet, but appear so far to have been limited in scope.

Once the flaw was revealed, its extent and potential severity led analysts and computer users to strongly demand Microsoft patch the problem outside its normal security update schedule. Microsoft originally announced it would release the update on January 10, 2006, as part of its regular monthly release of security bulletins and offered some technical tips to reduce user exposure to the problem.

Several third-party developers released unofficial patches which claimed to reduce or eliminate the vulnerability. For its part, Microsoft has little choice but to warn users not to install a third-party patch for a flaw in the Windows operating system: although most such developers no doubt have the Windows community’s best intentions at heart (and many are reputable), Microsoft cannot test and vouch for the efficacy of third-party patches, and there’s always the possibility a malicious attacker would release software with its own nefarious payload.

Windows users can use Automatic Updates will receive the update automatically; the update can also be downloaded manually from Microsoft’s Download Center, or by using Microsoft Update or Windows Update.