Microsoft released a fix for a serious security vulnerability in Windows on Thursday, several days before the patch's scheduled delivery.
The company is breaking with its monthly patch cycle because it completed testing of the security update earlier than it anticipated, it said in a note on its Web site. "In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible," the company said.
Security bulletin MS06-001, originally scheduled for Tuesday, is the first security bulletin of this year and fixes a vulnerability in the way Windows renders Windows Meta File images. The bug was discovered last week and is increasingly being used in what Microsoft calls "malicious and criminal attacks on computer users."
Critics had called for Microsoft to release the patch as soon as possible. With people unable to patch their systems, the flaw could provide an opportunity for cybercriminals to launch increasingly sophisticated attacks on users, they have said.
Some security experts, in an unusual move, even recommended that users apply a third-party patch developed by European programmer Ilfak Guilfanov.
No fix for Windows 98, ME
Also on Thursday, Microsoft said that older versions of Windows are immune to the latest wave of attacks targeting the operating system.
While Windows 2000, Windows XP and Windows Server 2003 are vulnerable, Windows 98 and Windows Millennium Edition are not exposed to the same threats that exploit the WMF flaw, according to an update to a Microsoft security advisory on the issue.
Microsoft initially also listed the older versions of the operating system as equally vulnerable, but has now backpedalled on that, giving users of older Windows versions a reprieve.
"Although Windows 98, Windows 98 Second Edition and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a critical severity rating for these versions," the company said in its updated advisory.
In more bad news for vulnerable PCs, Microsoft warned of another way for attackers to use the flaw--via a malicious image embedded in a Microsoft Office document. The company previously said that an attack could only occur if a user visited a Web site containing a malicious image or opened such a file attached to an e-mail.
Microsoft does not say whether the older Windows versions could be susceptible to less-serious attacks. Because the issue is not deemed critical for Windows 98 and ME, Microsoft no longer plans to issue a security fix for these OSes. "Per the support life cycle of these versions, only vulnerabilities of critical severity would receive security updates," the company said.
Talkback
M$ should be charged with criminal negligence for not issuing patches for ALL of their OS's ..I love how this flaw in their code affects all M$ platforms but when taking care of their customers..yes Mr Gates I paid for a version of your OS and now even though you claim to have extended support for me and my fellow users you abandon us (why would I even consider buying another of your crappy swiss cheese like Operating systems in the future if this is the way you treat your users?? Apple will be getting my cash from here on out).
You can't whitewash the fact that this is a CRITICAL VUNERABILITY for ALL M$ Products .. to quote your site: "Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) were previously listed as affected, but are no longer listed. Why is that?
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates."
Spent an evening installing Ubuntu Linux on my laptop a few nights back; best thing I've ever done with it. Why? For free I'm better protected from viruses and malware better than Microsoft's paid customers are.
http://www.ubuntu.com/
The only reason MS released the patch early was because someone fixed the flaw and released an unofficial patch faster than they did, and they wanted to save some face... too bad they dont realize just how many people are still using Win2K that theyre holding back on, or their other OSes that have no need to upgrade.
So you say thats because Linux is in the minority, right? Not such a big or valuable target... not that because Linux is inherently more secure.
Fact of the matter is, I dont care why anymore, I want a machine I can connect to the Internet and actually use without it imploding.
Microsoft should be called to task on this half-hearted attempt to wipe the egg from their collective face.
-- Joshua
Of course MS can release early, Guilfanov already did all the work!
Bill and MS abandoned me and my "oldies" Windows 2000 and Windows 98 still running on my HP Pavilion 366 MHz and Compaq 500 MHz Deskpro SFF PC.
I don't even bother complaining about discontinued support for the two.
I'm more than happy with my Xandros 2.0 Business Edition Linux which will celebrate it's second year of running on my ageing machines
sincerely from
Linux XandBE 2.4.24-x1 #1 SMP Fri Feb 20 16:30:52 EST 2004 i686 GNU/Linux