WMF vulnerability sparks patch program

23.01.2006
The Windows Metafile (WMF) vulnerability, which emerged in the last week of 2005 and was resolved with a patch that Microsoft released off its regular patch schedule at the end of the first week of 2006, wasn't good news at all. But I managed to wring a good outcome out of the situation, since it allowed me to give some structure to our patch management process.

Before this threat arose, efforts to deploy a patch management process had been met with excuses. Resources were short. A Systems Management Server (SMS) upgrade was being deployed. And as a general rule, engineers are resistant to patching because it could harm their ability to work. When the WMF vulnerability came to light, I saw an opportunity to finally institute a patch management process without listening to a lot of moaning. Unfortunately, it sometimes takes a serious incident or the threat of one to bring about change in an IT organization.

What made the threat posed by the WMF vulnerability particularly potent was one way a hacker could take advantage of it. With the WMF vulnerability, all a hacker has to do is embed malicious code in an image, place the image on a Web site and then lure unsuspecting users to that site. Once the user browses the Web site, his operating system will execute the malicious code contained in the image -- no downloading or clicking on a link is necessary.

Even though I hadn't heard of any incidents, I didn't want to take any chances. I've been through several other incidents involving vulnerabilities in the past, and it's never fun to clean up the mess. This WMF vulnerability just reeks of long nights in the data center operations war room.

My strategy for establishing a patch management process was fairly straightforward. My first priority was to get all of our desktops patched for the latest WMF vulnerability. We sent an e-mail to all 8,000 employees advising them to enable Windows Update so that critical patches would be installed automatically, or to click on a link to a Microsoft Web site where they could download only the WMF patch. We gave the employees 24 hours to comply, and then we used SMS to push the patch to all of the desktops.

With the WMF problem properly disposed of, the next step was to ensure that all desktops were current with critical patches. My security team reviewed all of the critical updates that Microsoft released in 2005 and made a recommendation on which patches were critical to our environment. We had installed several updates throughout the year to address zero-day worm infestations, such as Zotob. But until now, our desktops haven't been fully patched.