Hi folks- Kevin Kean here again.  We here in the MSRC have been hard at work on this WMF vulnerability and so I wanted to provide you all with an update on the situation.

 

When the MSRC learned of the attacks on December 27, 2005, we mobilized under what we call the Software Security Incident Response Process (SSIRP) to analyze the attack, assess its scope and determine and the appropriate guidance for customers, as well as to engage with anti-virus partners and law enforcement. 

 

Based on that process, we have finished development of a security update to fix the vulnerability and are testing it to ensure quality and application compatibility.  Our goal is to release the update on Tuesday, January 10, 2006, as part of the regular, monthly security update release cycle, although quality is the gating factor.  Customers will be able to get the update through all the usual deployment tools: Microsoft Update, Windows Update, Automatic Update, the Download Center and Windows Server Update Services.

 

As we’ve noted in previous posts, we have been carefully monitoring the attempted exploitation of this vulnerability through our own investigative process as well as partnering the industry and law enforcement.  Although the issue is serious and malicious attacks are being attempted, we have found that the scope of the attacks is not widespread.  AV companies have also indicated that attacks are being effectively mitigated through up-to-date signatures.

 

To help protect against any attempted exploitation while the security update is being developed we really want to continue to urge customers not to visit unfamiliar or untrusted Web sites that could potentially host the malicious code.  More guidance for consumer customers can be found here http://www.microsoft.com/athome/security/online/browsing_safety.mspx  We also encourage enterprise customers to continue to review the information in the security advisory as well: http://www.microsoft.com/technet/security/advisory/912840.mspx

 

Best,

Kevin

 

*This posting is provided "AS IS" with no warranties, and confers no rights.*