Microsoft releases patch for Windows vulnerability
By Ed Taylor, Tribune January 6, 2006
Responding to pressure from computer users, Microsoft Corp. issued an official fix Thursday for a major vulnerability that potentially allowed attackers to take control of personal computers connected to the Internet.
Originally the software giant said it would not release the patch for the flaw in its Windows operating system until Tuesday as part of a regular monthly security update, saying it needed the time to adequately test the fix. But on Thursday Microsoft said it was issuing the patch five days early because testing had been completed sooner than expected.
"In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible," the company said in a statement.
The patch became available to Windows computer users at 3 p.m. Arizona time Thursday.
Security experts said Microsoft was smart to move quickly because of the potentially serious nature of the vulnerability.
"With all the heat they were getting, they obviously decided to move it up," said Ken Colburn, owner of Tempe-based Data Doctors Computer Services. "Its them responding to whats going on."
"With this kind of demand (for a patch), it would be prudent once it was tested for them to release it early," said Cindy Kim, spokeswoman for PatchLink Corp., a Scottsdalebased computer security firm.
The flaw allowed attackers to exploit a vulnerability in an element of Windows called Windows Meta File that is used to view images. Potentially they could gain access to personal computers if the user is tricked into viewing an image on a malicious Web site or within an e-mail attachment. Once inside a personal computer, the attacker could steal the computer users identity, install viruses or cause other problems.
PatchLinks testing indicated that the damage could be so severe that the operating system would have to be reinstalled from scratch, said Chris Andrew, vice president of security technology.
Data Doctors, PatchLink and other security firms were offering free temporary patches available through the Internet, but that became unnecessary Thursday when Microsoft released its permanent fix.
Microsoft said attacks appeared to have been limited and were mitigated prior to the release of the patch by the companys efforts to shut down malicious Web sites and by updates from anti-virus companies.
But Andrew said the events this week could be a precursor to more so-called "zero-day" threats, which involve hackers discovering operating system vulnerabilities and exploiting them before patches can be made available. The problem is becoming more serious because more information is available to hackers, and its taking longer for patches to become available, he said.
"In 2006 we will see a lot more zero-day attacks," he predicted.
Contact Ed Taylor by email, or phone (480) 898-6537