Pre-release Microsoft patch for WMF flaw leaked

04.01.2006
A pre-release version of a Microsoft Corp. patch being developed to fix the recently disclosed Windows WMF flaw was 'briefly and inadvertently' posted on a security Web site, the company confirmed this morning.

A spokeswoman for Microsoft refused to give further details on what exactly happened or on what site the pre-release patch was posted. But in a brief update to an earlier advisory on the WMF flaw, Microsoft noted that posting of the beta patch on the Internet has resulted in 'some discussion and pointers on subsequent sites to the pre-release update.'

[View more Windows WMF vulnerability coverage] 'Microsoft recommends that customers disregard the postings,' the company said.

The latest development comes as users and analysts appear to be divided on whether it's a good idea to install an already available third-party patch to fix the Windows WMF vulnerability or to wait for Microsoft Corp.'s official fix, which isn't slated to be released until Jan. 10.

The unofficial patch -- developed by Belgian programmer Ilfak Guilfanov -- works by disabling a DLL in Windows and has been available for download on Guilfanov's Web site at Hexblog.com for the past few days.

The influential SANS Internet Storm Center (ISC)) and security vendor F-Secure Corp. are among the organizations that have been advising users to download Guilfanov's patch to mitigate the risk caused by the WMF flaw rather than waiting for Microsoft's patch. SANS has made the patch available for download on its Web site and says that more than 120,000 downloads have already been made. F-Secure is another company that says it has tested and audited the patch, and is recommending that users download it to protect themselves against WMF exploits. 'We're running it on all of our own Windows machines,' the company said in a blog on its Web site.