WMF exploit patch is out right now

Underpromise, overdeliver. That’s the classic advice from business school, and someone at Microsoft learned that lesson well.

Five days earlier than promised, Microsoft has delivered the January 2006 security update for the WMF vulnerability. Why now? Mike Nash, Corporate Vice President for Security, explains on the Microsoft Security Response Center Blog:

[A]ctually creating the update was a straight forward process. The challenge was testing the update on all of the supported versions of Windows and the 23 languages we support and making sure that the set of applications that might be effected by this update are not negatively affected by this change.

On Tuesday morning, we announced that our goal was to have an update available as part of our regular update cycle on January 10th. That date was based on our forecast on where we would be with quality.

So what changed to make us decide to release an update today? Two things: The first is that we have an update that we believe in. The team worked very hard to run all of the key scenarios that we are concerned about. While we would always like to have more time, we are confident in the quality of the update. The second issue is that while there is no imminent threat, a number of customers are seeing exploit traffic hitting their AV, IDS and IPS systems. Interestingly, when you talk to the security vendors they are seeing the rate of infection and the rate of spread actually decrease. But, when I spoke to a number of customers and asked if the current situation warranted an out of band release of the update, they said yes, if we had hit our quality goals. I reminded them of their past feedback about out of band updates being an inconvenience and their preference for the monthly release schedule. Overall, they felt that we had made these out of band releases so infrequent, that doing it once when it matters was not a big deal.

If you have Automatic Updates turned on, you’ll get the update without any effort on your part. If you don’t want to wait, visit Windows Update right now.