Underpromise, overdeliver. That’s the classic advice from business school, and someone at Microsoft learned that lesson well.

Five days earlier than promised, Microsoft has delivered the January 2006 security update for the WMF vulnerability. Why now? Mike Nash, Corporate Vice President for Security, explains on the Microsoft Security Response Center Blog:

[A]ctually creating the update was a straight forward process. The challenge was testing the update on all of the supported versions of Windows and the 23 languages we support and making sure that the set of applications that might be effected by this update are not negatively affected by this change.

On Tuesday morning, we announced that our goal was to have an update available as part of our regular update cycle on January 10th. That date was based on our forecast on where we would be with quality.

So what changed to make us decide to release an update today? Two things: The first is that we have an update that we believe in. The team worked very hard to run all of the key scenarios that we are concerned about. While we would always like to have more time, we are confident in the quality of the update. The second issue is that while there is no imminent threat, a number of customers are seeing exploit traffic hitting their AV, IDS and IPS systems. Interestingly, when you talk to the security vendors they are seeing the rate of infection and the rate of spread actually decrease. But, when I spoke to a number of customers and asked if the current situation warranted an out of band release of the update, they said yes, if we had hit our quality goals. I reminded them of their past feedback about out of band updates being an inconvenience and their preference for the monthly release schedule. Overall, they felt that we had made these out of band releases so infrequent, that doing it once when it matters was not a big deal.

If you have Automatic Updates turned on, you’ll get the update without any effort on your part. If you don’t want to wait, visit Windows Update right now.

In an earlier post, I reprinted a list of which antivirus programs had been successful at blocking the WMF exploit early. (By now, of course, almost everyone has caught up.) One name that was noticeably absent from both lists was the beta release of Microsoft’s Windows OneCare Live, which I’ve been using for a couple months now.

According to Microsoft’s updated Security Advisory 912840, OneCare works:.

If you are a Windows OneCare user and your current status is green, you are already protected from known malware that uses this vulnerability to attempt to attack systems.

That’s a relief.

Microsoft has updated Security Advisory 912840, which provides details of the WMF exploit that was sprung on an unsuspecting world last week. The good news? A patch will be available in one week:

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows once it passes a series of rigorous testing procedures. It will be available on Microsoft’s Download Center, as well as through Microsoft Update and Windows Update. Customers who use Windows’ Automatic Updates feature will be delivered the fix automatically.

Based on strong customer feedback, all Microsoft’s security updates must pass a series of quality tests, including testing by third parties, to assure customers that they can be deployed effectively in all languages and for all versions of the Windows platform with minimum down time.

The level of hysteria over the WMF exploit is getting a little silly. Yes, it’s a zero-day exploit, which is a very bad thing. But the drumbeat that this will be “the mother of all Internet worms” has been spreading. Even the normally down-to-earth crew at SANS has melted down. And yet, as Larry Seltzer at eWeek points out, Microsoft’s deliberate pace seems correct. Major antivirus software vendors, who are usually ready to hit the panic button (and sell a lot of software) at the slightest provocation, are surprisingly low-key:

[I]t’s Monday morning, Jan. 2, and none of the major anti-virus has a serious alert up. McAfee, Symantec, Trend and Panda all show no alarm, and the ones that have a general level of alertness are all showing a low level. Panda can usually be counted on for some hysteria at a time like this, and Computer Associates doesn’t even seem aware of the threat on its site.

There is F-Secure, who is showing a Level 2 (out of 3) alert. F-Secure has been on top of this situation from the very beginning …

As I pointed out in an earlier piece, actual testing of 73 variants of this threat shows excellent protection common among anti-virus vendors. As of Saturday morning, the 100 percent list included AntiVir, Avast, BitDefender, ClamAV, Command, Dr Web, eSafe, eTrust-INO, eTrust-VET, Ewido, F-Secure, Fortinet, Kaspersky, McAfee, Nod32, Norman, Panda, Sophos, Symantec, Trend Micro and VirusBuster. If you’re a user of one of these products and you keep your anti-virus updated, odds are good that you’re protected against any exploits you’re likely to see.

And as one of the anti-virus vendors pointed out to me, there may be dozens of variants out there and a first attempt at an IM worm, but there is no major attack yet. In other words, there may be a major vulnerability, but there is no major exploit, and you’re unlikely to encounter one unless you spend a lot of time on porn sites or already are running adware.

So let’s review:

• Disabling the Windows Picture and Fax Viewer is a proven workaround for all variants to date.
• If you’re running auto-updating antivirus software from a major vendor, it’s able to detect and block all known variants of this exploit.
• The average person is extremely unlikely to get hit with this thing in everyday browsing.
• No one has come up with an e-mail-based vector yet, aside from the usual spammy attempts to entice you to a shady Web site.

In short, it’s not time to panic. I directly support about a dozen users – family and friends. None of them are shy about calling for help, and none of them have encountered this exploit. I have an extended family of correspondents who reach out when they encounter viruses and spyware. I haven’t heard a word from them. In fact, although lots of security sites are finding examples of this exploit in the usual dark corners of the Web, no one has reported widespread infections. The updated security bulletin confirms what the antivirus companies are saying:

Microsoft has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public last week, through its own forensic capabilities and through partnerships within the industry and law enforcement. Although the issue is serious and malicious attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread.

In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures.

One skilled and apparently trustworthy coder has released an unauthorized patch for this vulnerability. SANS recommended that everyone install it. I haven’t recommended this patch, because in my view the risk is greater than the benefit. I think Microsoft has made a perfectly reasonable trade-off in developing and testing this patch. A seemingly small change can have a ripple effect in unexpected places. The nightmare scenario is a poorly tested patch that renders a system unstable or causes data loss.

If this had been the Slammer worm, which spread like wildfire over the Internet back in 2003, a more aggressive approach would be called for. In this case, I think the response from Microsoft has been appropriate.

Jesper Johansson on Conscientious Risk Management and WMF.

(Thanks to Ryan Naraine for the pointer.)