Windows users pushed Microsoft to release patch
Vulnerability left PCs open to viruses, spyware
By Marsha Walton
YOUR E-MAIL ALERTS
(CNN) -- Windows users worried about malicious attacks helped prod Microsoft to release a patch for a vulnerability five days earlier than expected.
For more than a week, criminal hackers have been exploiting the flaw in some Windows graphics files, known as Windows Meta File, or WMF.
"While we would always like to have more time, we are confident in the quality of the update," wrote Mike Nash, corporate vice president for security at Microsoft in the Microsoft Security Response Center Blog.
"While there is no imminent threat, a number of customers are seeing exploit traffic hitting their AV (anti-virus), IDS (intrusion detection system) and IPS (intrusion prevention systems).
Until the patch release Thursday, the software giant had planned to make the fix available along with all its other security updates for this month on Tuesday, January 10.
There is a link to the fix on the Microsoft home page, which should protect Windows users from being infected with the malicious code.
Customers who use the "automatic updates" function will receive the patch automatically and do not need to take further action.
About 90 percent of computer users worldwide use some form of the Windows operating system.
Microsoft became aware of the malicious attacks December 27.
User concerns were heightened because of an especially dangerous aspect of these attacks: Your computer could be infected with viruses, spyware or other malicious programs just by viewing a Web page, an e-mail message, or an Instant Message that contained one of the contaminated images.
Computer security experts have been dealing with scores of variations on the attack since it was discovered.
"Nobody knew it was coming," security expert Rick Howard of Counterpane Internet Security said. "There was no security intervention or mitigation for it."
Unlike infamous computer worms and viruses like Blaster, Code Red or I Love You, the WMF attack is not spreading like wildfire across the Internet.
Most of the malicious efforts fit the patterns of recent attacks. They are not designed to earn bragging rights for a brash programmer, but instead are likely tied to theft, fraud and organized crime.
Some of the exploits so far identified are designed to steal passwords. Others install computer code that turns machines into zombies, which can then be controlled remotely to spew spam and viruses.
Microsoft issued its first security advisory on the issue December 28, the day after it became aware of the attacks.
Although the Microsoft security advisory characterized the attacks as "not widespread," there was an intense focus on the attacks and malicious possibilities across tech Web sites.
In a somewhat unusual development, an unofficial, third-party patch was posted on the Web several days before Microsoft's official fix.
That patch was created by Russian engineer Ilfak Guilfanov, and is available through the SANS Internet Storm Center, http://isc.sans.org/, and other security-related Web sites.
Although Howard said Guilfanov's fix has been tested and is being released by the "good guys," there can be complications, even with official patches.
Something designed to fix one problem, like the WMF exploit, can sometimes wreak havoc on other computer components. Although tech-savvy home users who are aggressive about their security might download and install the unofficial patch with no problems, Howard said the average home user, and big companies with complex computer networks, would do better to use the official Microsoft fix.
Microsoft's Nash acknowledged the complexity of security patches in his blog.
"Actually creating the update was a straightforward process. The challenge was testing the update on all of the supported versions of Windows and the 23 languages we support and making sure that the set of applications that might be affected by this update are not negatively affected by this change," he wrote.
Computer security companies recommend several safe-computing practices. A few tips:
"The good news for home users is that most standard antivirus vendors are keeping up to date, and as long as they download the right signature, they'll be OK," Howard said.
|© 2007 Cable News Network.
A Time Warner Company. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines. Contact us. Site Map.