Microsoft's patch for the Windows WMF flaw was "briefly and inadvertently" posted to a a security website yesterday.
A spokeswoman refused to give exact details but noted that posting of the beta patch on the Internet has resulted in "some discussion and pointers on subsequent sites to the pre-release update". The company that it "recommends that customers disregard the postings".
As for the critical unpatched flaw itself, users and analysts remain divided on whether its a good idea to install an already available third-party patch to fix it or wait for Microsoft's official fix, expected next week.
The unofficial patch - developed by Belgian programmer Ilfak Guilfanov - works by disabling a DLL in Windows and has been available for download on Guilfanovs website at Hexblog.com for the past few days.
The influential SANS Internet Storm Center (ISC)) and security vendor F-Secure are among the organizations that have been advising users to download Guilfanovs patch to mitigate the risk caused by the WMF flaw rather than waiting for Microsoft.
SANS has made the patch available for download on its site and claims more than 120,000 downloads already. It is the first time SANS has recommended such a course of action and it underscores the severity of the risk posed to companies by the WMF flaw.
What makes matters worse is that exploits for this vulnerability now exist, as are hacker tools designed to help such exploits sneak past anti-virus and other intrusion prevention defenses, he said. Its a threat thats real and is being exploited, and there is no good defense against it, saidJohannes Ullrich, chief technology officer at ISC.
Even so, several users and analysts said companies should avoid any unsupported or unofficial patch. Thats because such third-party patches are unlikely to have been fully tested for quality and application-compatibility issues and could cause unforeseen problems down the road.