Sunday, January 08, 2006

InformationWeek Windows patch Patched Windows Bug Will Be Danger For Months January 6, 2006

Although Microsoft pushed out a patch early to fix a major bug and even recommended that enterprises deploy it immediately, the underlying vulnerability will continue to haunt Windows users for the next six to eight months, a security professional said Friday.

Thursday, Microsoft released an out-of-cycle patch for the 10-day-old Windows Metafile flaw, admitting it did so to placate customers who were demanding an early fix.
"When I spoke to a number of customers and asked if the current situation warranted an out of band release of the update, they said yes," wrote Mike Nash, vice president for security business, on the Microsoft Security Research Center (MSRC) blog late Thursday.

Nash went on to recommend that enterprises roll out the fix as soon as they're able.

"You should deploy the update as soon as is feasible. Put it through your testing process and get it deployed. If it were my decision, I would move up [your] schedule. That is what we are doing in our IT operation here at Microsoft," he wrote.

"Absolutely that's the right advice," seconded Mike Murray, director of research at vulnerability management vendor nCircle. "The sooner you get everyone patched the better you are. The current exploits don't include an automated worm, but for threats that require some user interaction, this is as bad as it gets."

Exploits leveraging the WMF vulnerability now number in the hundreds, security firms allege, with thousands of Web sites -- some of them legitimate, but hacked to silently deploy malicious code -- seeding these exploits.

"We viewed this an incredibly serious threat from the beginning," said Murray. "It's been actively exploited in the wild. This is the kind of blended threat people will use for months for phishing attacks and to collect bots."

Murray estimated that it will take six to eight months for enterprises to fully deploy the WMF vulnerability patch, a time during which attackers will continue to compromise computers.