The company is breaking with its monthly patch cycle because it completed testing of the security update earlier than it anticipated, it said in a note on its Web site. "In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible," the company said.
Security bulletin MS06-001, originally scheduled for Tuesday, is the first security bulletin of this year and fixes a vulnerability in the way Windows renders Windows Meta File images. The bug was discovered last week and is increasingly being used in what Microsoft calls "malicious and criminal attacks on computer users."
Critics had called for Microsoft to release the patch as soon as possible. With people unable to patch their systems, the flaw could provide an opportunity for cybercriminals to launch increasingly sophisticated attacks on users, they have said.
Some security experts, in an unusual move, even recommended that users apply a third-party patch developed by European programmer Ilfak Guilfanov.
Threat under control
Microsoft does not know of any widespread attacks on Windows
users, but it urges customers to upgrade and deems the issue
"critical."
"Although the attacks based on WMF are very real, and the exploitation and the threats are evolving on a very fast basis, our analysis is consistent that the infection rate is low to moderate," Debby Fry Wilson, a director in Microsoft's Security Response Center, said in an interview. "However, the threat is very real, and customers should take the action of deploying this update as soon as possible."
One security expert applauded Microsoft for releasing the fix early. "Everybody was hoping they would get the patch out before a major attack would start," said Mikko Hypponen, the chief research officer at security company F-Secure. "Now it looks like they are succeeding in doing just that. Well done."
Susan Bradley, network administrator at Tamiyasu, Smith, Horn and Braun, an accountancy firm in Fresno, California, said she plans to start testing the Microsoft patch now and deploy it Friday night. "Microsoft listened, and I could give them a hug for that," she said.
No fix for Windows 98, ME
Also on Thursday, Microsoft said that older versions of Windows
are immune to the latest wave of attacks targeting the operating
system.
While Windows 2000, Windows XP and Windows Server 2003 are vulnerable, Windows 98 and Windows Millennium Edition are not exposed to the same threats that exploit the WMF flaw, according to an update to a Microsoft security advisory on the issue.
Microsoft initially also listed the older versions of the operating system as equally vulnerable, but has now backpedalled on that, giving users of older Windows versions a reprieve.
"Although Windows 98, Windows 98 Second Edition and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a critical severity rating for these versions," the company said in its updated advisory.
The WMF code in the older versions of Windows isn't flawless, but the vulnerability is much harder to exploit, said Mike Reavey, an operations manager at the Microsoft Security Response Center.
"There are a lot of mitigating factors, a lot of initial user action," he said. "It is a much different attack. You may be eventually able to get to the code, but it certainly would not be on the level of critical."
Hypponen agreed. "Although the WMF bug is there (in the older versions), there's no known code at the moment to exploit it," he said.
In more bad news for vulnerable PCs, Microsoft warned of another way for attackers to use the flaw--via a malicious image embedded in a Microsoft Office document. The company previously said that an attack could only occur if a user visited a Web site containing a malicious image or opened such a file attached to an e-mail.
Because the issue is not deemed critical for Windows 98 and ME, Microsoft no longer plans to issue a security fix for these OSes. "Per the support life cycle of these versions, only vulnerabilities of critical severity would receive security updates," the company said.
A link in the article would have been nice. That's why I came here, because finding anything on that ms website is a pain.