Mike Nash, corporate vice president for security, said Thursday on the company's technet weblog that the Redmond, Wash., computing giant also wanted to make sure that the update would meet quality goals.
Microsoft released the update Thursday, five days earlier than its planned Jan. 10 "patch Tuesday" release. The company first advised users last month to maintain antivirus services and apply the work-around it recommended.
Malicious users have set up attack websites to exploit the image vulnerability, from which they can execute arbitrary code, cause a denial of service condition or take complete control of an infected PC, the U.S. Computer Emergency Readiness Team and multiple security firms warned late last month.
"So what changed to make us decide to release an update (Thursday)? Two things: The first is that we have an update that we believe in. The team worked very hard to run all of the key scenarios that we are concerned about. While we would always like to have more time, we are confident in the quality of the update," Nash said. "The second issue is that while there is no imminent threat, a number of customers are seeing exploit traffic hitting their AV, IDS and IPS systems. Interestingly, when you talk to the security vendors, they are seeing the rate of infection and the rate of spread actually decrease."
Nash said customers had specifically requested an out-of-cycle release.
"But, when I spoke to a number of customers and asked if the current situation warranted an out-of-band release of the update, they said yes, if we had hit our quality goals. I reminded them of their past feedback about out-of-band updates being an inconvenience and their preference for the monthly release schedule," he said. "Overall, they felt that we had made these out-of-band releases so infrequent, that doing it once when it matters was not a big deal."
A pre-release version of the patch was briefly leaked to the public on a weblog earlier this week.
Mike Reavy, of Microsoft's Security Response Center, said the leak was unintentional.
Ken Dunham, senior engineer for iDefense, said wmf exploits will remain a target for hackers.
"Even though a patch is now out for the wmf vulnerability, all indicators strongly suggest that wmf exploitation will be a persistent long-term vector of attack for adware, spyware and trojan attacks," he said. "Targeted attackers may try to leverage a hostile embedded wmf inside of a Microsoft Word file in future attacks."
Before the Microsoft patch was released, some experts had advised users to download an unofficial patch from Russian computer scientist Ilfak Guilfanov, which can be downloaded at http://www.hexblog.com.