Patched Windows Bug Will Be Danger For Months

[ROM-DOS]

Patched Windows Bug Will Be Danger For Months

Although Microsoft patched a major bug, the underlying vulnerability may haunt Windows users for the next six to eight months.

By Gregg Keizer

TechWeb News

Jan 6, 2006 03:00 PM

Although Microsoft pushed out a patch early to fix a major bug and even recommended that enterprises deploy it immediately, the underlying vulnerability will continue to haunt Windows users for the next six to eight months, a security professional said Friday.

Thursday, Microsoft released an out-of-cycle patch for the 10-day-old Windows Metafile flaw, admitting it did so to placate customers who were demanding an early fix.

"When I spoke to a number of customers and asked if the current situation warranted an out of band release of the update, they said yes," wrote Mike Nash, vice president for security business, on the Microsoft Security Research Center (MSRC) blog late Thursday.

Nash went on to recommend that enterprises roll out the fix as soon as they're able.

"You should deploy the update as soon as is feasible. Put it through your testing process and get it deployed. If it were my decision, I would move up [your] schedule. That is what we are doing in our IT operation here at Microsoft," he wrote.

"Absolutely that's the right advice," seconded Mike Murray, director of research at vulnerability management vendor nCircle. "The sooner you get everyone patched the better you are. The current exploits don't include an automated worm, but for threats that require some user interaction, this is as bad as it gets."

Exploits leveraging the WMF vulnerability now number in the hundreds, security firms allege, with thousands of Web sites -- some of them legitimate, but hacked to silently deploy malicious code -- seeding these exploits.

"We viewed this an incredibly serious threat from the beginning," said Murray. "It's been actively exploited in the wild. This is the kind of blended threat people will use for months for phishing attacks and to collect bots."

Murray estimated that it will take six to eight months for enterprises to fully deploy the WMF vulnerability patch, a time during which attackers will continue to compromise computers.

"This is definitely going to lave long legs," Murray said.

One of the things that rankled many critics in the security community prior to the patch release was how Microsoft dismissed the danger of the vulnerability.

On Wednesday, for instance, Debbie Fry Wilson, a director at the MSRC, claimed that her group was proactively looking for, and shutting down, malicious Web sites serving exploits. More importantly, she took issue with the call to danger some security groups were issuing.

"Frankly, our analysis is different from the inflammatory headlines we're seeing on some [security] newsgroups," Fry Wilson said Wednesday. "All they're doing is adding fuel to the fire. It's definitely a serious issue, but it isn't something that's spreading and it's not affecting large-scale customers."

That same day, Kevin Kean, another MSRC director, called the WMF problem a "contained event." Both noted that the WMF vulnerability required some user interaction to compromise a computer, which could mean as little as visiting a malicious Web site or as much as launching a file attachment.

Even a day later, when the Redmond, Wash.-based developer released its out-of-cycle patch, the company kept up the drumbeat. "Microsoft