Microsoft WMF Fix Released ‘Inadvertently’

A Microsoft work-in-progress security update to repair the critical Windows MetaFile (WMF) security hole was accidentally released to security sites, the company said late Tuesday. "In our effort to put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site," Mike Reavy noted on the Microsoft Security Response Center Blog. "There has been some discussion and pointers on subsequent sites to the pre-release code. We recommend that customers disregard the postings and continue keep up-to-date with our latest information on the WMF issue. "

Reavy said the update is still scheduled to be released Tuesday, Jan. 10 as part of Microsoft's regular monthly security advisory. With no official patch for the vulnerability, several prominent security organizations are recommending an unofficial patch developed by programmer Ilfak Guilfanov. On Tuesday Guilfanov's web site, Hexblog.com, was linked from posts at Slashdot and Digg, and soon was offline, apparently for exceeding its bandwidth allotment. The site came back online Wednesday, but the unofficial patch is being mirrored by numerous sites, including the Internet Storm Center, which has also provided an FAQ about the WMF vulnerability..

Microsoft is recommending that Windows users wait for the official security update Tuesday, and insisted that it is working as fast as it can but must test its patches to work on multiple Windows OSes and in 23 languages. "The expedited track to investigate the vulnerability and develop the security update includes redirecting resources from other security development and testing efforts to primarily focus around the clock on producing and releasing the WMF security update," Reavy wrote.