Microsoft rushes out fix

Patch out not a moment too soon

Microsoft yielded to intense pressure from customers in January and rolled out an emergency patchto fix a serious Windows Metafile (WMF) flaw. The move followed the launch of unofficial fixes, which some security experts had advised firms to deploy.

The software giant was due to release the fix on Tuesday 10 January as part of its monthly patch bundle. However, earlier in the month it gave in to customer pressure to release a fix early.

Experts welcomed the decision. “The patch was obviously deemed critical enough to break the traditional patch cycle – a benefit to all Microsoft users,” said Alan Bentley, UK managing director at PatchLink.

But the length of time taken to roll out patches within enterprises could let hackers continue exploiting the bug for some time. “Average numbers from last year were around 30 days to get a patch fully deployed across a corporate network,” Bentley said.

Meanwhile, the situation highlighted a dilemma for firms on where to look for protection, as unofficial fixes for the bug had already been released. One unofficial fix, released by software developer Ilfak Guilfanov, was endorsed by organisations including the Internet Storm Center (ISC).

Andy Kellett of analyst Butler Group said his firm usually advises against applying unofficial patches as they could worsen problems.

“But this particular vulnerability was serious enough to be worried about and the [Guilfanov] patch was authenticated by some strong authorities,” he added.