Microsoft Rushes Out WMF Security Fix

Just days after announcing plans to release a patch that fixes a security vulnerability in Windows Meta File image processing on January 10, Microsoft has rushed out the update early. The company said the patch was ready earlier than expected and its decision was based on feedback from partners.

WMF, or Windows Metafile, is a vector based image format used by Microsoft's operating systems. SHIMGVW.DLL is loaded to render the images and contains a flaw that opens the door for a malformed WMF image to cause remote code execution and potentially allow for a full system compromise.

"So what changed to make us decide to release an update today? Two things: The first is that we have an update that we believe in. The team worked very hard to run all of the key scenarios that we are concerned about," explained Mike Nash, corporate vice president for security at Microsoft.

"While we would always like to have more time, we are confident in the quality of the update. The second issue is that while there is no imminent threat, a number of customers are seeing exploit traffic hitting their AV, IDS and IPS systems."

Microsoft consulted partners about the out of band update, who recommended the company release the update as soon as possible.

"I reminded them of their past feedback about out of band updates being an inconvenience and their preference for the monthly release schedule," Nash said. "Overall, they felt that we had made these out of band releases so infrequent, that doing it once when it matters was not a big deal."

Nash suggests that customers install the patch immediately. Customers can download the fix through Windows Update or Microsoft Update, and enterprise customers can receive it through SUS.

"With the update available today, you certainly have the choice of deploying now or waiting until your normal release process. If it were my decision, I would move up the schedule," he added.