Microsoft shipped MS06-001 yesterday — five days ahead of the regular Patch Tuesday cadence. The patch addresses the WMF zero-day disclosed on 28 December. The cumulative exposure window has been roughly two weeks; specific operators are in various states of cleanup; specific lessons about disclosure timing deserve treatment.
This is a longer post because the incident has structural lessons larger than the specific vulnerability.
What shipped
MS06-001 addresses the WMF graphics-rendering vulnerability through specific code changes in gdi32.dll and related components. Affected products include essentially all current Windows versions (XP, Server 2003, 2000, 98, ME).
The deployment is straightforward. The patch installs through Windows Update; specific manual deployment is supported. Restart is required to take effect.
The cumulative time from public disclosure (28 December) to official patch (10 January) was 14 days. By Patch Tuesday cadence this is fast; by zero-day-with-active-exploitation standards this is structurally too slow.
What happened during the gap
The cumulative exposure window produced substantial activity.
Active exploitation continued. Multiple malware families used the WMF vulnerability for installation. Specific phishing campaigns delivered malicious WMF files; specific compromised websites served malicious WMF; specific rootkit installations used WMF for initial code execution.
The third-party patch was widely deployed. Ilfak Guilfanov's patch was deployed by specific operators ahead of Microsoft's official response. The cumulative deployment is meaningful; specific operators credit it with avoiding compromise.
Specific large organisations had visible incidents. Several specific organisations have surfaced WMF-related compromise events through end-of-year incident reporting. The cumulative cost across the operator population will be visible in the months ahead.
The defensive infrastructure was tested. Mature operators with current antivirus, fast patching, and aggressive filtering came through the period with bounded impact. Less mature operators were more substantially affected. The defensive maturity gap continues to be the structural property.
What this teaches about disclosure timing
Three observations.
The 14-day vendor response is too slow for active-exploitation incidents. When a vulnerability is publicly disclosed with active exploitation in the wild, two weeks of cumulative compromise across the deployed population is substantial. The patch-development engineering work is bounded; the testing requirements should be balanced against the cumulative cost of delay.
The third-party patch precedent is now visible. Guilfanov's patch demonstrated that a competent external researcher could ship a working patch faster than the vendor. The cumulative effect on disclosure norms will be visible across future incidents; specific researchers will be more willing to ship third-party patches when vendor response is delayed.
The trust model around third-party patching is being tested. Many operators deployed Guilfanov's patch despite the unusual sourcing. The trust signal — specific reviewers, specific public discussion, specific community endorsement — was sufficient. The structural lesson: in the right circumstances, the security community can provide structural defence faster than vendors.
What this teaches operationally
Three operational lessons from the incident.
Out-of-cycle patching capacity matters. Operators who could deploy Guilfanov's patch (and the subsequent Microsoft patch) quickly absorbed the incident with bounded impact. Operators who could only deploy on monthly cycles experienced more cumulative exposure.
Cleanup readiness matters. Compromised hosts during the exposure window need cleanup; the cleanup workload is substantial. Organisations with rehearsed incident-response procedures have lower cumulative cleanup cost than organisations improvising.
Communication matters. Specific organisations communicated clearly with users about the threat and the recommended response; specific organisations did not. The communication-quality difference produces operational outcomes — users who knew about the threat made better choices than users who did not.
What I am doing
For my own infrastructure: official patch deployed; the third-party patch (which I had installed on the test machine) removed once the official patch was confirmed working. The cumulative exposure window was bounded; the response was timely.
For client deployments where I have advisory roles: the patch deployment is in progress this week. Specific clients have been on the third-party patch since early January; the migration to the official patch is straightforward.
For my Snort sensor: rules for the WMF exploitation patterns continue to fire periodically. The exploitation is not yet exhausted; the cumulative compromise is still being identified.
A reflection on the incident
The WMF zero-day will be a reference incident for some time. The specific disclosure timing, the third-party patch, the vendor delay, the active exploitation — all are informative about how disclosure events should and should not unfold.
For the broader field: the structural lessons should inform vendor response cadences, disclosure norms, and community-defence infrastructure. The cumulative trajectory is positive but specific incidents continue to test the system.
For my own writing: the incident will be referenced in subsequent posts about disclosure, patching, and incident response. The cumulative archive of writing about specific incidents informs structural understanding.
What I am paying attention to
Two things over the next month:
Cumulative compromise from the exposure window. Specific organisations will surface incidents over the coming weeks; the cumulative cost will become visible.
Third-party patch precedent in subsequent incidents. 60% probability of meaningful precedent setting. The pattern is established; specific subsequent incidents will test whether it continues.
For my own continued operation: the patching discipline continues. Specific subsequent advisories will be deployed on the standard cadence; the WMF incident is now the cumulative archive's reference for disclosure-timing questions.
More in time.