At the same time, the law firm is extremely reluctant to install the third-party patch on production servers -- even though it is testing it on a few virtual servers, Kesner said. 'We frankly don't know quite what to do.'

Waiting for Microsoft's patch could mean leaving the law firm exposed to exploits targeting the WMF vulnerability. But installing a third-party patch on Microsoft servers could result in unforeseen consequences and raise potential support issues with Microsoft in case of a future problem, he said.

Tom Robertson, senior vice president of IT at Charter Bank in Bellevue, Wash., said his firm is making all the appropriate updates to its antivirus, antispam and content filters as well as its network intrusion protection systems while it waits for Microsoft's updates. But 'we are unlikely to implement any third-party Windows patches,' he said.

'It is never a good idea to deploy an untested third-party patch. It's an invitation for bigger problems,' said Andrew Plato president of Anitian Enterprise Security, a systems integration and consulting firm in Beaverton. Ore. 'The WMF exploit is bad, but no worse than a hundred other exploits, many of which remain undisclosed,' he said.

Russ Cooper, editor of the NTBugtraq mailing list and a senior scientist at Cybertrust Inc. in Herndon, Va., is another security analyst who said its better for companies to avoid downloading third-party patches. 'It's certainly not a good recommendation, in our opinion, to all of a sudden start recommending code of this nature,' Cooper said. 'At the very least, it has not undergone the quality scrutiny and testing that Microsoft's patch will have. So, we think it is a bad suggestion.'