If enough people complain, even software giants like
Microsoft will heed their call.
That's the takeaway from Redmond's advisory today saying it would
patch a critical vulnerability in Windows metafile (WMF) today,
earlier than it had planned.
The latest patch comes after a critical vulnerability in the
Windows metafile (WMF) was discovered last week by security experts,
one that could potentially open up a user's computer to remote
exploitation and make changes to the system.
Originally, the company had intended to release the patch next
week during its regularly scheduled Patch Tuesday security
But Microsoft said today it had moved the timetable up because it
finished up tests early on the patch, as well as a way to respond
"to strong customer sentiment that the release should be made
available as soon as possible," according to the advisory.
The security patch and details can be found here.
Since the vulnerability was first discovered, some Microsoft
customers were downloading unofficial patches from third-party
organizations while they awaited an official patch.
IDA Pro author Ilfak Guilfanov posted a hotfix on his blog, while
ESET and patch management vendor Patchlink released interim patches
today. Third-party patches can sometimes spell trouble of a
different sort for customers in terms of software incompatibility
In the case of Guilfanov's patch, a fix for the WMF flaw was in
high demand with computer owners. He wrote on his blog that the
hotfix page needed to be stripped to the bare minimum because of the
"incredibly high load" the page has experienced since the hotfix was
But downloading and installing installing patches on computers
could have the unintended consequence of dealing damage to software
"McAfee does not endorse, at this time, third-party patches,"
said Craig Schmugar, virus research manager at the security
company's Anti-Virus Emergency Response Team (AVERT), despite seeing
evidence of widespread infection of the WMF exploit since releasing
an anti-virus definition 12 hours after discovery.
In a week's time, he said, the particular signature ascribed to
the WMF exploit was detected on 156,000 computers.
The reason, Schmugar said, is compatibility and quality
assurance, reasoning backed up by Microsoft. In its security
advisory published last week, Microsoft officials cautioned users
against installing third-party patches, citing possible
"As a general rule, it is a best practice to utilize security
updates for software vulnerabilities from the original vendor of the
software," the advisory states. "With Microsoft software, Microsoft
carefully reviews and tests security updates to ensure that they are
of high quality and have been evaluated thoroughly for application
compatibility. In addition, Microsoft's security updates are offered
in 23 languages for all affected versions of the software
simultaneously. Microsoft cannot provide similar assurance for
independent third party security updates."
Sometimes, however, drastic measures such as installing an
unofficial patch are necessary. Tom Liston of the SAN Security
Institute's Internet Storm Center Web site called the WMF
vulnerability "very, very bad" and said users cannot wait for the
official patch from Microsoft.
Dean Turner, senior manager for security response at Symantec,
wouldn't come out and recommend users against installing unofficial
patches, but warned network administrators to use caution.
"At the end of the day organizations need to be very careful
about deploying patches of any kind, unofficial or otherwise," he
said. "I would recommend that if people are going to install a patch
that they test it beforehand."
He did recommend administrators apply Microsoft's official patch
as soon as possible.
Patchlink sent e-mails to customers this morning with several
different courses of action its customers can take to address the
According to Chris Andrew, Patchlink vice president of security
technologies, the company wanted to provide several options for its
customers, who could then pick the method they wanted to take. The
company, like many security vendors, has also released workarounds
to close down some of the avenues of attack the WMF exploit might
"This is a very new development that customers need to be aware
of and need to look at," he said.