F-Secure Corp., one of the companies on Microsoft's list of antivirus vendors that can block WMF attacks, also recommended the use of Guilfanov's patch after testing and installing it internally. The U.S. Computer Emergency Readiness Team provided a link to the patch on its site but urged companies to do their own risk assessments. Wary of Third Parties

Others said that despite the potential seriousness of the WMF flaw, users should avoid installing any unsupported patches because such code is unlikely to have been fully tested for application compatibility and quality.

"It is never a good idea to deploy an untested third-party patch. It's an invitation for bigger problems," said Andrew Plato, president of Anitian Enterprise Security, a systems integration and consulting firm in Beaverton, Oregon. He added that the WMF vulnerability "is bad, but no worse than a hundred other exploits, many of which remain undisclosed."

Tom Robertson, senior vice president of IT at Charter Bank in Bellevue, Washington, said his staff was updating the bank's antivirus and antispam tools, as well as its content filters and network intrusion-protection systems while waiting for Microsoft's fix. But he said the bank was unlikely to install any third-party Windows patches.

The WMF issue highlights the need for users to have an IT security strategy that isn't overly dependent on a vendor's ability to get patches out quickly, said the director of information security at a specialty retail chain in California.