A Microsoft official has defended the company's response to the discovery of a security vulnerability involving the Windows Metafile (WMF) format. This flaw put systems running Windows XP and Windows Server 2003 at risk from malicious hackers.
The software company went into emergency mode after it learned of the critical WMF vulnerability on 27 December and immediately assembled a team that worked non-stop until its members developed the fix, which was released on Thursday. So said Debby Fry Wilson, director of security engineering and communications, during a webcast to discuss the situation.
Wilson said Microsoft launched its Software Security Incident Response Process, "an emergency response process that triggers bringing literally all the people who have a stake in the issue to the table". She added: "The teams have been very dedicated and have been here 24 hours a day for the past 10 days or so to make sure we have an effective resolution of this issue."
Microsoft released a patch for the security hole on Thursday, ahead of its original plan of issuing it tomorrow, which is when it will release its monthly set of security patches and updates. Microsoft had come under fire from critics who said it was taking too long to fix the problem, considering it was a zero-day type. This refers to vulnerabilities that malicious hackers begin to exploit while there is no patch or certified workaround.
Fry Wilson said on Friday that the exploits weren't spreading as quickly as some experts were suggesting, and said that is why Microsoft felt it could wait to release its fix until it had been fully tested and certified to work.
From the moment it learned of the vulnerability, Microsoft also went to work with ISPs (internet service providers) to have them block access to malicious sites hosting exploits, she added. It also immediately reached out to antivirus vendors, which in turn promptly began to release definitions to protect users. These efforts significantly mitigated the spread of the damage while Microsoft came up with a solution, she said.
"Knowing exploitations were serious but not spreading quite as rapidly as some in the community were indicating, we needed to weigh putting out an out-of-band update with the need to make sure it was effective. That’s why we were very adamant about producing the update that had gone through the complete testing matrix and cycle we normally do for a [regular patch] release on the second Tuesday of the month, and we completed that yesterday," Fry Wilson said.
On Sunday, the SANS Institute's Internet Storm Center (ISC) urgently advised users of vulnerable systems to apply an unofficial patch, saying they shouldn't wait for the official Microsoft fix. Microsoft discouraged users from following this advice.
Microsoft labels the vulnerability as critical for Windows 2000 SP4, Windows XP SP1, Windows XP SP2, Windows Server 2003 and Windows Server 2003 SP1. It concerns the way these operating systems' graphic rendering engines process graphics in WMF format. Successful exploits can allow malicious hackers to remotely execute code of their choice on a machine.
The vulnerability is deemed not critical for Windows 98, Windows 98SE and Windows Me. Users of Windows NT 4.0, Windows 2000 SP3 and Windows XP Gold should upgrade their operating systems because those versions are no longer supported by Microsoft, said Christopher Budd, security program manager at the Microsoft Security Response Center. There have been no known attacks against Windows 2000 systems, he said.
Users with vulnerable and unpatched systems can fall prey to an attack if they navigate to a web page containing a malicious WMF file, if they open a malicious WMF file in an email attachment or if they open a document, such as a Word document, that contains such a file.
Microsoft had previously approved a workaround to the WMF problem that unregistered the Windows Picture and Fax Viewer, making it unable to process WMF files. Once the new patch has been installed, however, users can roll back that workaround and enable the Picture and Fax Viewer.
Microsoft has made the patch available for deployment through the usual automated update channels, such as SUS (Software Update Services), WSUS (Windows Server Update Services) and other Microsoft tools.
More information can be obtained here.