Microsoft has decided to release a patch for the Windows WMF flaw in response to what it described as "strong consumer sentiment" for an early fix to the problem.
Enterprise customers who are using Windows Server Update Services should have received the update automatically, the company said in a statement. Manual downloads are available here.
In addition, the update is supported by Microsoft Baseline Security Analyzer 2.0, Systems Management Server and Software Update Services, the company said. Individual users who use Automatic Updates will receive the patch automatically.
Microsoft had originally said it would release the patch next Tuesday as part of its regularly scheduled monthly updates. But the company has been under mounting pressure from users and security analysts in the wake of a growing number of attack methods targeting the flaw. Those attack methods became more numerous over the past few days.
"Microsoft will continue to monitor attack data, which has thus far indicated that the attacks exploiting this vulnerability are limited and mitigated by efforts to shut down malicious websites and with up-to-date signatures from antivirus solutions," the company said in its statement.
In addition to the patch for the WMF flaw, Microsoft will also release a security bulletin detailing updates for flaws in Windows, Exchange and Office products that will be released on 10 January. The maximum severity rating for the flaws described in these bulletins is critical, the company said in an advance notification.
The company will also release an updated version of its malicious-code-removal tool on Tuesday as part of its monthly security updates.
Johannes Ullrich, chief technology officer at the SANS Internet Storm Center (ISC) in Maryland, said his company has tested the patches and they appear to be working fine.
"It’s really good of Microsoft to have released the patches so quickly," said Ullrich, whose organisation had been recommending that companies download a third-party patch released by a Belgian security expert instead of waiting for Microsoft’s scheduled 10 January update.
"So far as we can tell, the [third-party] patch does not interfere with Microsoft’s patch," Ullrich said. But it is better for those who have installed the unofficial patch to uninstall it after they have implemented the Microsoft patch, he added.
"It can only hurt at that point [to have both patches]", Ullrich said, adding that SANS's ISC has posted details on its website telling users who may have installed any of the earlier patches or workarounds how to update to the official Microsoft release.
Chris Christianson, an analyst with IDC, said the early move by Microsoft to release the patch is not a surprise because the company has "grown much more responsive over the last few years to security vulnerabilities". The company created its regularly scheduled update cycle in response to earlier customer concerns of previous piecemeal efforts and is now breaking from its regular schedule because of the severity of this vulnerability, he said.
"I see this as a good thing, that it sees this as a schedule that needs to be broken [in this case]," Christianson said.