Enterprise customers who are using Windows Server Update Services will receive the update automatically, the company said in a statement this afternoon. Manual downloads will be available at http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx.
In addition, the update is supported by Microsoft Baseline Security Analyzer 2.0, Systems Management Server and Software Update Services, the company said. Individual users who use Automatic Updates will receive the patch automatically when it becomes available.
Microsoft had originally said it would release the patch next Tuesday as part of its regularly scheduled monthly updates. But the company has been under mounting pressure from users and security analysts in the wake of a growing number of attack methods targeting the flaw. Those attack methods became more numerous over the past few days.
'Microsoft will continue to monitor attack data, which has thus far indicated that the attacks exploiting this vulnerability are limited and mitigated by efforts to shut down malicious Web sites and with up-to-date signatures from antivirus solutions,' the company said in its statement.
In addition to the patch for the WMF flaw being released Thursday, Microsoft will also release a security bulletin detailing updates for flaws in Windows, Exchange and Office products that will be released on Jan 10. The maximum severity rating for the flaws described in these bulletins is critical, the company said in an advance notification released Thursday.
The company will also release an updated version of its malicious-code-removal tool on Tuesday as part of its monthly security updates.
Johannes Ullrich, chief technology officer at the SANS Internet Storm Center (ISC) in Bethesda, Md., said his company has tested the patches and they appear to be working fine.
'It's really good of Microsoft to have released the patches so quickly,' said Ullrich, whose organization had been recommending that companies download a third-party patch released by a Belgian security expert instead of waiting for Microsoft's scheduled Jan. 10 update.
'So far as we can tell, the [third-party] patch does not interfere with Microsoft's patch,' Ullrich said. But it is better for those who have installed the unofficial patch to uninstall it after they have implemented the Microsoft patch, he said.
'It can only hurt at that point' to have both patches, Ullrich said, adding that SANS's ISC has posted details on its Web site telling users who may have installed any of the earlier patches or work-arounds how to update to the official Microsoft release.
Chris Christianson, an analyst with IDC in Framingham, Mass., said the early move by Microsoft to release the patch is not a surprise because the company has "grown much more responsive over the last few years to security vulnerabilities." The company created its regularly-scheduled update cycle in response to earlier customer concerns of previous piecemeal efforts and is now breaking from its regular schedule because of the severity of this vulnerability, he said.
"I see this as a good thing, that they see this as a schedule that needs to be broken" in this case, Christianson said.