Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Microsoft's fix is in for WMF flaw
Published: 2006-01-05

The software giant finished up testing on the official patch for the vulnerability in the Windows Meta File (WMF) format on Thursday and began releasing the fix though Windows Update and its download sites around 2 p.m. PST.

Microsoft released the patch as security professionals started to take the software giant to task for what they perceive as a slow response to a critical security issue. The flaw in the WMF format concerned many security experts over the holidays because the vulnerability can be exploited in Internet Explorer by serving up specially-crafted images from a malicious Web site. The Mozilla Corporation's Firefox browser does not immediately run code but reportedly asks permission to display the malicious images.

Microsoft originally announced on Tuesday that, while a patch had been created for the issue, it would not be released until January 10 so that it could be further tested.

"The development and testing teams have put forth a considerable effort to address this issue and respond to the strong customer sentiment that the release should be made available as soon as possible," the software giant said in a statement sent to SecurityFocus.

An unofficial patch for the problem had been released by software developer Ilfak Guilfanov and had encountered enormous demand after security experts vetted the patch and declared it a good solution. According to the SANS Institutes's Internet Storm Center, the patch released by Microsoft uses essentially the same tactic as Guilfanov's patch but whereas Microsoft could recompile the affected module with the fix, Guilfanov could not.

At least one report of network printing problems caused by the Guilfanov's patch surfaced on Wednesday.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:
Microsoft's fix is in for WMF flaw 2006-01-05
Anonymous (1 replies)


Privacy Statement
Copyright 2009, SecurityFocus