Windows - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Windows


Microsoft: Beware of Third-Party WMF Patch



 By: Ryan Naraine
2006-01-03
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Windows story.


Rate This Article:
Poor Best
Redmond slaps a "buyer beware" tag on an unofficial hotfix for the zero-day WMF bug and promises its own properly tested update will be ready in time for January's Patch Day.

Microsoft Corp. has slapped a buyer beware tag on a third-party patch for the zero-day Windows Metafile flaw and promised that its own properly tested update will almost certainly ship Jan. 10.

The companys latest guidance comes days after an unofficial hotfix from reverse-engineering guru Ilfak Guilfanov got rare blessings from experts at the SANS ISC (Internet Storm Center) and anti-virus vendor F-Secure Corp.

Guilfanov, author of the IDA (Interactive Disassembler Pro), released an executable that revokes the "SETABORT" escape sequence that is the crux of the problem. The hotfix was tested and approved for use by many security experts, but Microsoft says it cannot vouch for the quality of the fix.

How serious is the WMF flaw? Click here to read Larry Seltzers column.

"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006," the company said in an updated advisory.

Microsoft said its own patch has already been developed and is going through a rigid round of quality assurance testing. "The security update is now being localized and tested to ensure quality and application compatibility." Last-minute glitches in the patch testing process could still delay the update.

Resource Library:

As a general rule, the Redmond, Wash., company never recommends third-party updates. Ever since attackers started exploiting the bug to push malware on vulnerable Windows systems (XP SP2 included), the company has thrown all its security resources into the investigation and patch-creation process, making it virtually impossible to validate the third-party code.

Without a full test pass, its impossible for Microsoft to know what impact the third-party change might have on applications mandated in regulated industries or in-house applications. In addition, Microsoft said its Patch Day updates are offered in 23 languages for all affected versions of the software simultaneously. "Microsoft cannot provide similar assurance for independent third-party security updates," the company added.

Jesper Johansson, a senior security strategist in the Security Technology Unit at Microsoft, warned that the "unknown risk of issues with an unofficial patch is pretty high."

In a blog entry, Johansson said enterprise IT administrators must carefully consider the risks involved before thinking of applying Guilfanovs hotfix. "The patch is an executable and has to be run on each vulnerable system, meaning cost of implementation is potentially very high. … Personally, I have not tested it, and I have no intention of using an unofficial patch at this time."

Johansson said a decision to use an unofficial patch should be driven by risk management. "If you have extremely high security requirements, you may want to go so far as using something as drastic as an unofficial patch. However, in that situation you are probably not willing to trust a third-party packaged patch anyway."

"The unknown risk of issues with an unofficial patch is pretty high. The cost of implementation ranges from low in a very managed environment, to very high in an unmanaged environment. If your risk and the cost of the attack is very high, then you may want to consider the unofficial patch, but I cannot in the best conscience recommend it right now," Johansson added.

Privately, Microsoft officials are furious that the issue was overblown, especially in the mainstream media where the WMF exploit is being compared to debilitating network worms like Blaster and Sasser.

Although the threat is legitimate and newer exploits are constantly being published, there is no remote unauthenticated attack vectors that could cause lead to a widespread worm attack. A successful WMF attack requires that the victim is lured to a malicious Web site, much like any other phishing of malware attack.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

"Although the issue is serious and malicious attacks are being attempted, Microsofts intelligence sources indicate that the scope of the attacks is not widespread. In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures," a spokesman said in a statement sent to eWEEK.

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.



  Reader Comments: Microsoft: Beware of Third-Party WMF Patch
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Windows Articles          >>> More By Ryan Naraine
 


xr㶲0;; ʷ♵M=RJV,ҌפN"!1Ej=NzgyoHKL&$%hݍFw?HpurKk|jx΢>w߽ 1[f0kTE[]Ϥ^Am_@/t 5u: -z=>;|9|ĠZڒY)=/[s}J}FԚ\3Ѣĝ"lG : rWӺ#~`fAΧ+doF" 23nr!DKI 8d8cGfsU Wiغ\68߇ݬ7kDm.s5wnzaZVpx3muםS2_ ;*>cq4U`E-! :oo:jj#6mRQ* U9-lb(7ZdL,5,/R7D_AQ^AI/r뎓x>:AGticšhέ@7fh`CCҏLڠ~N{ݣn<'tiEXŞ+LS,h 0CGE 60\LR}> %qHhQ0<szY[s_#jax7t,u,/{@`^@8Hpy8%@[ubKBݷ|{5#j閭-L<ģҠ~^PP|'sZn(L7^aS12(%%E2 4.gP)AH =[h \99~ >vZ)'JPl{ .z&Hq0ѿy̞f; kF+UʝWQ6y'gz)5< 1!Y/ޏtzS܊f99IAwuw躟Fmh'OUo#<4YjIT*ڴZ)uimc33aԍ 5E"b j7{\0-# l,>D4~hNa2*)i$ͿbCpĞZ>3+%UVg0F,m+^ȣ[)ZHz\N[`aPez'ȃ`r3NlphAJmHw1sJ[Y*qRhj]6,/F*|7( +#.Wɍk?n,kYg}Oٗ.B՚L|vN XYڇ:=4̄+ub'T-!=}1;Hy5ם ?ΆՊRR՘IO;&_G= kQ+wڶ{Ot]QG Xڋ: Y2~)fQSo>5 \!E+\RUad[sv/rU~^N4;M80aDU5}5?>nɵ#Ag$2D{EY*..?Jӛ6#U\+ԊP/YTAtevdix;L \x&_{KNj(bo)Q^jKW".wD<wϨ;}Nb 4PG }V q 2;e,طLd;ɳ#X I7,ְKgF*ݔ[Y`'Z%T/IjYt>80xnTN W8pL\'徴zL5L53z7è?kueQbsE1 Fk{J" ^x/n00| #⤔Qԕº}w=ƎC^|:ķLXWWAw_aa>"aA`}Wֹ/*cU^vuH*G6-<1}LAIP 4"7="icO;2}zڽ|/]6 Elp0Z<!h?{N}{)}ҿ_E#%GD's3AAHClFW!yN.:ȧͦnj Lo2XG<׈d 㥑a +"e J_ǥ}ڹ̂!+Qל$"1zr\N3dnX,qFpΫx_a[,d*0! *t~c}E9pl׀zBl&q\]?E/su؋~{(rm 08 S*QFW*REh5M |EN;'6g |{|mr/HUɉ? #^4} y*}y:}_exB+5ǻBX{pңXTJqvi#_c~:)}@ON9]~DҼ"gÍw"HtWkԛC2L:&rޞSD[B-Gr1ppʉd eq#m3겨uC%M<3GъN)tJȓ Q8 z>SB'ԴIդ*8I5F4A2 uIH? Md4XPWdht$lAW jӚ]eyt{w7X; VH0_Ӹ\bvOB XY+oxXta}kI-jݷUH.~_|@s`=BŒ,伨6z˪jQuXu@Q$= t&n;{W4@)s^XLkh;~-ܳ,:];7_G8z|oI]2Gz1?)QݘtqzN`Mss ?{:`A ߶a6"%jMJn,sJ܅Xi; +1q)~l?4ݹn9b9/kҾ4<5L;<`,H~ VН>My{dMo.=)dzIΚ#g䢅q+ɛޠj*#Yl[d_?H/K㆟VVys,1OhK_#K1O&ZQX**sᔤˁW#S~`rZ~dM3}%3 Տk^xΠtt v{{!.M4E|;`-?gp+w z+;isVD)Kĵ"vًKqɇymUzSDDK`#i>R?{_14Nm*z=}~9[fv?kB&>dO#@/ulC|S`ldF_a}ưZ)#)Ιd| <v2.;.m[ݚ(<A~A< vD4);˷xf}ia;⻆–,,0iE0pDa~o[1΢ Im1ZQ|9N8s{K4jZKW\L_lZS| \(\=3q x8 »'VDeb4[0| rKKo<:QgM*?DI3[bOO_~\pf}lC+=0f~jPo=Sr4j4ϣzKۡOW}vV`\OיR\tIW [/EJ}:mՐu;ʧԶPrD$ KK1<'xFBO?*ƑOn7%KNf3Hr0ˋH'wC 5i8< NT JzԟSrL1ӏ4B#lc}-xRTUw塆mCaV.yI贫hN{ŧ=֢tDH[-T7Mz>.%ݗbζ/ fBv,f3v$K\7 8b#ēo=ծ,V,V}qk;ni>8.KA۱&]S]sfW$nh$luі(nakjOP?myz뎟 o}j4` 4Jם $֝8_r1_d/Nm徹徹徹徼[TWb}z9WC uMKUs]SU%Q\>=lsvڗaEoF^5Nw_37?AI޻Yƚ=š@s O?D}{[[Wݒ ^1~dOo:_$ʗ.p"$בN?tzYA!28"0@œ! C" %־)fth=іεg]}9])54?L(դ뱟A`DBHQTEl |%]/ik53W|A(ǡ8>;7o(vj33൙vm@+=^tcW۲:p؜]EY~q{O_,`Y-1+ztѵHP)$Fz{8qG~$l; s;ZV]Oe_(SAHq*m{wi1~JkDX%՝ϗNxIN}َMUbtmЭTR^/Dyj 4Zu,u{ sD:F s FΒVi ͬj-!V󬤱]F Rd+} 纣;~ ˍ`A1{,#V¯eQi^_fFt+nO59VrMul?,tl^ֿ&|͌kZc)4ƿF< EC c  ń[)rUfw<~z*:Oe^fwBJZ]{8FGȚ؆wt$N wn,ϚM)7d[V0M@}tTkVyK"?{| զ̋,HKt2)%7 m;A=~tDLRO›= .oM8#yǃV"Ba#X &>IRGP5v79:muX v\vns=@@D}m! y;溸_]W(䄭!'vQ]Q7kwDBqnлrŗtS!B|9#!A1HsFhvn~( aHe t4^83*F2*mG{_&9M- a k(E$dsLjӚL( 0װ^1;m/Aj+(a1A^11FaŷA(lp?;b21bHcXKE+D:ŨdtC\WP*@J>S|p_h!ϭ.fldaQ(b:Mu?3X,ȏVHݜ(8w&sPB<_DRfdayFf|?3e/(  G@Ka1c~Po֔J$4 >)%fٕa+V+_zSoS{w09XKVF+iT(+I+ {GC4(Ey@|̜Sp;LоDפMή;2p<8^ KrܹQ׆_ǣ4駓էe{9,,Vbv>Lu}^LJrdeA.۽Sr3\h^EpɃw]%:/^ͨ;O;xRvc QJNi21MS>= Z>Z[NAwN|NWkAN\3Go1r !r;X)` Bfjs@1@C|;\tN)BJu9@/9B9P~]~NmS>.?vrO$ sC09?dw nvy9CL2/BAN'(]~/rjO<@^}{@^}z/g/?{D#)?@?r{P)̙K̙>3>~~+W9sgr ]C}y>>oʁor&k$CPΑnO ps+qT/@a uySހ}VU<_`kW9t _ r ̭L_W'BX\jzr+޲vegq VD#ןbMdGD<mJ5faOd_DŽ3U=QGd .Ǒpۿ{剹?K2xwY0?ۓg_pCAG/:)7Xzx=CԥumG'ޝGfe5Xjm8“m1ϋ9y}wegσfGW}m8xZLԹҘGpoQ^" #"5 -gP`2?6UJ` Ԋz%C;b{ǜ[ɞ@#J^?&G^M^ƘCݬ տaSKdpx;r(qY0P*`%Kמ.Ƅ^-Ǭ$ZM$Yi Ǥ4kMX;l͘ʹ1ru¿z:Ge@4ǝaƙr6@Y<@cc߻CB[%'xaJ$l1Aй7B΄[5W7Cfsʲ%=fƝB` jϗ[n c$PMEHt 3$}'V ԻV}$"0 ; Rד̕*.rkqXa\m8q qYO zn V\~|kvKItGד-p}cO3A a"m D'IZ#7bc͙P|$07:%;;+Σ̦IW"r'4% X\ؓJ/q+> }u6a`說Ɲ)ZO^!Mv fB~nbaP8]|^3 2GN"Io0O2#0' MĮfAj?3&r%1<`ol |0Dὂ-YZcm]JLx&L\N3r^]ɡ=G'rdy`W_GFbW;& Um\Cס e4jѯXVX#e 6i w M3A۽"^ 8(xcjäLܰPhOQ"q},R!3'kt؝::ۈE9Od]9Hr%zM h&.lB*9"Wo Q9@EekE?I3軉d靼HzK68[(& ԵƎQV*iů@B& X)t'|oW|Dl[km`y°`<zKTt1v3C@_v\2R*4%NS d2֭ k# #F6 MX|w^ؙ;Oq^'d9a7 9o.I|n|?ك|2xc.!XwcQr%7` ={;F3J_e%\!d*3@FD0"6iޜDR*Ĥ&f , ~53=_O;(@PX 79BuzϷ;<v7[,Ƕ6eث$| _[0~Y+ʕbA<\2?1Şi38|@ (ۉnfTt5`GYM`ڃ+r8ǩk;6xtx }te!.,1}:33LTxϮ،U\)Ț6vQmS?p[TUDgdM 9/u33qߜ9sQaW_<'. #CP1S?&Il=9V0|>,lp/>cwOp 0tcr.﮳yN϶p2$82#" $8f6I6{{abV XϿǢwqTR:!; ׯ88 cI,;ecJX>!&ۅ 7O80Ux|-h\s;xrmx0#ŸEr.X)Fw7N~\ʹk,7=wKF  #gE= f`=>g~G'\s)n&t̵a=paI#s +@= &~tV}zڽ|W K+ߴ/1`F[Wy&F2VjwNV ƦI:1qFPVWs0v!b(S2Ǫ4K_j"JjxTˉaa#nǝl| n%56J]^[ %+&