A Microsoft work-in-progress security update to repair the critical Windows MetaFile (WMF) security hole was accidentally released to security sites, the company said late Tuesday. "In our effort to put this security fix on a fast track, a pre-release version of the update was briefly and inadvertently posted on a security community site," Mike Reavy noted on the Microsoft Security Response Center Blog. "There has been some discussion and pointers on subsequent sites to the pre-release code. We recommend that customers disregard the postings and continue keep up-to-date with our latest information on the WMF issue. "
Reavy said the update is still scheduled to be released Tuesday, Jan. 10 as part of Microsoft's regular monthly security advisory. With no official patch for the vulnerability, several prominent security organizations are recommending an unofficial patch developed by programmer Ilfak Guilfanov. On Tuesday Guilfanov's web site, Hexblog.com, was linked from posts at Slashdot and Digg, and soon was offline, apparently for exceeding its bandwidth allotment. The site came back online Wednesday, but the unofficial patch is being mirrored by numerous sites, including the Internet Storm Center, which has also provided an FAQ about the WMF vulnerability..(more...)