While security researchers are advising Windows users to rush to install an unofficial patch to fix a vulnerability, Microsoft wants customers to wait another week for its official security update.
The problem is in the way various versions of Windows handle graphics in the WMF (Windows Metafile) format. When a vulnerable computer opens a maliciously crafted WMF file, it can be forced to execute arbitrary code. Microsoft published a first security advisory on 28 December, saying it had received notification of the problem on 27 December and was investigating whether a patch was necessary.
On Tuesday, Microsoft updated the advisory to say it has completed development of its own patch, and is now testing it for release next week.
The company said it carefully reviews and tests its security updates, and offers them in 23 languages for all affected versions of its software simultaneously. It "cannot provide similar assurance for independent third-party security updates," it said.
The number of users potentially at risk is high, with all versions of Windows exhibiting the vulnerability, but the number actually affected so far is relatively low, researchers say.
Staff at McAfee's Avert security research lab report that 7.45 percent of users of the company's retail security products were found to have computers infected with malicious programs through the WMF exploit as of Tuesday. That's up from 6 percent of users on Saturday.
However, the chance of running into a malicious WMF file is climbing, and with it the danger of running an unpatched system. Already, one security website has had to warn its readers to stay away: the owners of the knoppix-std site warned in a forum posting that hackers had modified the site so as to attempt to exploit the vulnerability on site visitors' machines.
There is "a lot of potential risk" associated with the vulnerability, according to Jay Heiser, a research vice president with Gartner and the company's lead analyst on information security issues. "If it can be exploited in any significant way, it would be an extremely big risk. It's a race between Microsoft and the exploit community," he said.
The bad guys had a head start in that race. Security researchers at Websense first spotted malicious Web sites using the exploit on 27 December, but those sites may have been doing so as early as 14 December, the company said.
On 28 December, Microsoft ambled out of the starting blocks with its first security advisory acknowledging a potential problem.
Over the weekend, it updated this to suggest a way in which users could reduce the risk by disabling an affected part of the OS, called shimgvw.dll. Microsoft warned that the fix has the side effect of stopping the Windows Picture and Fax Viewer from functioning normally. Others report that it also stops Windows Explorer from showing thumbnails for digital photos.
Security researchers outside Microsoft had other ideas: rather than disable shimgvw.dll, they would modify it so that only the functionality considered dangerous was blocked. By 31 December, programmer Ilfak Guilfanov had developed an unofficial patch to reduce the danger of attack, without impairing Windows' graphics functions.
His patch quickly won the support of security researchers including The SANS Institute's Internet Storm Center (ISC) (who made the patch available from its site) and F-Secure.
Mikko Hypponen, chief research officer at F-Secure, feels safe recommending the Guilfanov patch for several reasons.
"We know this guy. We have checked the code. It does exactly what he says it does, and nothing else. We've checked the binary, and we've checked that the fix works," he said.
He had one final vote of confidence: "We've installed it on all our own computers."
However Sophos's senior security consultant Carole Theriault advised businesses not to install the unofficial patch. "We wouldn't recommend it, for testing reasons," she said.
One of the hidden dangers of the WMF vulnerability is that things are not always what they appear. Usually, WMF files can be identified by their .WMF file extension, and blocked as a precaution, but attackers may choose to disguise malicious files simply by giving them another image file suffix, such as .JPG, because the Windows graphics rendering engine attempts to identify graphics files by their content, not their name. That was the case with a file with the title "happynewyear.jpg" that began circulating in e-mail messages on 31 December: If opened on a Windows machine, the file attempts to download and install a backdoor called Bifrose.
As a consequence, said Theriault, businesses should keep existing anti-virus protection up to date and concentrate on blocking unsolicited mail while waiting for the Microsoft patch, as this may help to screen out attacks. They should encourage users to practice safe computing by only visiting reputable Web sites and taking care with what they download, she said.
(Jeremy Kirk in London contributed to this report.)