Thousands are scrambling to install Microsoft’s patch for the critical .WMF vulnerability as more than 100 exploits act as a channel of attack for spyware, Trojans and adware.
Microsoft, veering from its monthly patch release schedule, issued the patch for the Windows metafile (.WMF) on Thursday. An advisory coming out of Redmond said the software giant was responding to ”strong customer sentiment” that the release be made available as soon as possible.
The security patch can be found here.
This isn’t the first patch issued for the .WMF flaw. It’s just the first one from Microsoft. Several third-party patches had already been released, leaving many IT managers in a quandry as to whether to patch their systems with what was available or wait for an official Microsoft release.
”This is a move Microsoft had to make,” says Steve Sundermeier, a vice president with security company, Central Command, which is based in Medina, Ohio. ”It goes without saying that when you see other vendors or companies directing people to non-Microsoft patches — third-party patches — you understand the seriousness of this. Microsoft had to take note and say, ‘Hey, it’s not a good thing when other people are patching our stuff for us.”
According to Chris Andrew, vice president of security technologies at PatchLink, which is based in Scottsdale, Az., there are varying reports about how many computers have been affected by the exploits. Estimates, he notes, range from a quarter of a million computers to a full million.
”In the world of Microsoft, where there’s hundreds of millions of computers, that’s a relatively small percentage,” says Andrew. ”But don’t forget this isn’t over yet. The reality is you’re not safe until you’ve patched every single computer. In this case, there is no time to waste. It’s an average of 30 days to get a single, critical security patch rolled out… This could hang on and cause problems for the next month or even longer.”
Sundermeier agrees that IT managers shouldn’t be wasting time in getting the patch downloaded, tested and installed. But he warns that it’s critical not to leave out a step — testing.
”If you’re a large corporation, you need to test all patches,” he adds. ”If you have a lot of proprietary software, yes, you need to do the testing. The last thing you want to do is to make things worse.”
The exploit hit the Wild last week, infecting fully patched machines. It’s being called a zero-day attack because the exploit code was released the same day the vulnerability was identified. Sundermeier points out that the security community hadn’t even known about the bug until the exploit hit the Wild.
Malicious code on a number of Web sites exploited the vulnerability on users’ machines. At this point, according to Sundermeier, mass-mailing emails have not been sent out directing people to the malicious sites. Users who have been hit have unfortunately stumbled upon the sites.
The Web sites involved download a malicious .WMF file onto the user’s computer. That file exploits the vulnerability, and then opens a backdoor and downloads a keylogger. If the user is logged in to her machine as an administrator, then the attacker could have complete control of the machine.
Vulnerable operating systems include several Windows Server 2003 editions: Datacenter Edition, Enterprise Edition, Standard Edition and Web Edition. Windows XP Home Edition also is at risk, along with Windows XP Professional.