Patched Windows Bug Will Be Danger For Months

Thursday, Microsoft released an out-of-cycle patch for the 10-day-old Windows Metafile flaw, admitting it did so to placate customers who were demanding an early fix.

"When I spoke to a number of customers and asked if the current situation warranted an out of band release of the update, they said yes," wrote Mike Nash, vice president for security business, on the Microsoft Security Research Center (MSRC) blog late Thursday.

Nash went on to recommend that enterprises roll out the fix as soon as they're able.

"You should deploy the update as soon as is feasible. Put it through your testing process and get it deployed. If it were my decision, I would move up [your] schedule. That is what we are doing in our IT operation here at Microsoft," he wrote.

"Absolutely that's the right advice," seconded Mike Murray, director of research at vulnerability management vendor nCircle. "The sooner you get everyone patched the better you are. The current exploits don't include an automated worm, but for threats that require some user interaction, this is as bad as it gets."

Exploits leveraging the WMF vulnerability now number in the hundreds, security firms allege, with thousands of Web sites -- some of them legitimate, but hacked to silently deploy malicious code -- seeding these exploits.

"We viewed this an incredibly serious threat from the beginning," said Murray. "It's been actively exploited in the wild. This is the kind of blended threat people will use for months for phishing attacks and to collect bots."

Murray estimated that it will take six to eight months for enterprises to fully deploy the WMF vulnerability patch, a time during which attackers will continue to compromise computers.

"This is definitely going to lave long legs," Murray said. One of the things that rankled many critics in the security community prior to the patch release was how Microsoft dismissed the danger of the vulnerability.

On Wednesday, for instance, Debbie Fry Wilson, a director at the MSRC, claimed that her group was proactively looking for, and shutting down, malicious Web sites serving exploits. More importantly, she took issue with the call to danger some security groups were issuing.

"Frankly, our analysis is different from the inflammatory headlines we're seeing on some [security] newsgroups," Fry Wilson said Wednesday. "All they're doing is adding fuel to the fire. It's definitely a serious issue, but it isn't something that's spreading and it's not affecting large-scale customers."

That same day, Kevin Kean, another MSRC director, called the WMF problem a "contained event." Both noted that the WMF vulnerability required some user interaction to compromise a computer, which could mean as little as visiting a malicious Web site or as much as launching a file attachment.

Even a day later, when the Redmond, Wash.-based developer released its out-of-cycle patch, the company kept up the drumbeat. "Microsoft&'s monitoring of attack data continues to indicate that the attacks are limited and are being mitigated both by Microsoft&'s efforts to shut down malicious Web sites and by up-to-date signatures from anti-virus companies," a statement read.

Murray took exception. "Someone in the organization realized that this was serious," he said. "Microsoft may have been downplaying the threat publicly, but the fact that it released the patch early, that speaks a lot louder than their denial of the danger.

"They knew this was important to do," Murray said.

"Microsoft uses the phrase 'no user interaction required' to downplay threats all the time," noted Murray. "But many of the biggest threats have required some user interaction. The ILOVEYOU worm and Sober, for example. There are definitely the Code Reds and the Nimdas, but in the annals of massive threat history, there are significant events that spread with the help of users."

For more coverage of Microsoft Windows, see our Windows Center.