Microsoft Patches WMF Flaw Early, Issues Two Additional Patches
Published: January 11, 2006
by Alex Woodie
Microsoft surprised the IT community last week when it issued an out-of-cycle patch for a critical vulnerability in the Windows Meta File (WMF) format that had been exploited in numerous attacks since late December. Then, the company issued two more patches yesterday--its regularly monthly security update day--for additional critical vulnerabilities, one affecting most versions of Windows and another affecting older versions of Exchange and Outlook.
In what was the first episode of its kind in recent memory, Microsoft bowed to pressure from the IT industry last week and rushed a patch for the WMF flaw into production, despite claims it made earlier in the week that the WMF vulnerability was not being widely exploited and that customers who kept their anti-virus and intrusion prevention systems up to date were protected.
The change of heart occurred after Microsoft reported it had completed development of the patch, but hadn't yet completed thorough testing of the product, which it had initially planned to release simultaneously around the world in 23 languages (see "Fix for WMF Flaw Due January 10, Microsoft Says").
Microsoft faced pressure to release the patch from an assortment of groups, including the influential SANS Internet Storm Center, which recommended that Windows users implement a third-party patch for the WMF that was developed by a Russian programmer living in Europe, Ilfak Guilfanov, in addition to Microsoft's workaround. SANS said it had fully tested Guilfanov's patch and found it acceptable. Other IT security organizations recommended that users avoid the third-party patch, and wait for Microsoft's official patch. As it turned out there was not much of a wait.
The fix for the WMF flaw in Windows graphics rendering engine was the first of the new year, but there were more, including a patch for a flaw in the way Windows renders Web fonts, which is described in Microsoft Security Bulletin MS06-002.
The Windows Embedded Web Fonts vulnerability could enable an attacker who has administrative rights to take complete control of an affected system, and affects Windows 98/ME/SE, Windows 2000 Service Pack 4, Windows XP SP1 and SP2, Windows Server 2003 and its SP1 release, and the 64-bit versions of Windows Server 2003 designed for X64- and Itanium-based machines. This vulnerability was discovered by eEye Digital Security, which reported it privately to Microsoft. The company did not say whether this vulnerability was being actively exploited.
The second security patch released yesterday, Microsoft Security Bulletin MS06-003, fixes a critical problem in the way that Exchange and Outlook decode Transport Neutral Encapsulation Format (TNEF) MIME attachments that could allow an attacker to take complete control of an effected system. Just about every version of Outlook and Exchange since Outlook 2000 and Exchange 5.0 are susceptible to the flaw, except for Exchange Server 2003 SP1 and SP2.
Microsoft says it is not aware of any active attacks using the TNEF flaw, which was privately reported to Microsoft by NGS Software, an English company that researches the security of software and develops security software.
This will be the final free security update for Exchange 5.5. Support for this product was supposed to have ended December 31, but Microsoft made this one final patch available to the product, which is still in widespread use, when it announced changes to its software support policy (see "Exchange Server 5 Gets One Last Reprieve").