Jan. 2006 Security Updates

The first critical patch of 2006 arrived before “Patch Tuesday,” when Microsoft released a critical patch for an already-exploited vulnerability in the Windows Metafile (WMF) image format. Patch Tuesday itself saw the release of critical patches for Windows, Outlook, and Exchange. Although it is not surprising that conditions would drive the release of a patch prior to the monthly patch-release date, this marks at least the second time Microsoft has patched the WMF image format, which raises questions about the thoroughness of Microsoft’s code review process.

“Out-of-Band” Patch

In late Dec. 2005, attackers began to exploit a vulnerability in the way that the Windows graphics rendering engine handles WMF images. (WMF is a 16-bit format that can contain both vector and bitmap information.) These exploits could result in the attacker taking complete control of an affected system.

Microsoft started following its normal process for verifying the existence and scope of the vulnerability, publishing advisories and developing and testing a patch, which typically can take several months and results in the release of a patch on the scheduled patch-release day (the second Tuesday of the month). However, the presence of exploits for the vulnerability, as well as advice from some security experts to install a non-Microsoft patch, forced Microsoft to accelerate testing and release the patch when testing was completed rather than on the next scheduled Patch Tuesday.