Windows - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Windows


Microsoft: Beware of Third-Party WMF Patch



 By: Ryan Naraine
2006-01-03
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Windows story.


Rate This Article:
Poor Best
Redmond slaps a "buyer beware" tag on an unofficial hotfix for the zero-day WMF bug and promises its own properly tested update will be ready in time for January's Patch Day.

Microsoft Corp. has slapped a buyer beware tag on a third-party patch for the zero-day Windows Metafile flaw and promised that its own properly tested update will almost certainly ship Jan. 10.

The companys latest guidance comes days after an unofficial hotfix from reverse-engineering guru Ilfak Guilfanov got rare blessings from experts at the SANS ISC (Internet Storm Center) and anti-virus vendor F-Secure Corp.

Guilfanov, author of the IDA (Interactive Disassembler Pro), released an executable that revokes the "SETABORT" escape sequence that is the crux of the problem. The hotfix was tested and approved for use by many security experts, but Microsoft says it cannot vouch for the quality of the fix.

How serious is the WMF flaw? Click here to read Larry Seltzers column.

"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006," the company said in an updated advisory.

Microsoft said its own patch has already been developed and is going through a rigid round of quality assurance testing. "The security update is now being localized and tested to ensure quality and application compatibility." Last-minute glitches in the patch testing process could still delay the update.

Resource Library:

As a general rule, the Redmond, Wash., company never recommends third-party updates. Ever since attackers started exploiting the bug to push malware on vulnerable Windows systems (XP SP2 included), the company has thrown all its security resources into the investigation and patch-creation process, making it virtually impossible to validate the third-party code.

Without a full test pass, its impossible for Microsoft to know what impact the third-party change might have on applications mandated in regulated industries or in-house applications. In addition, Microsoft said its Patch Day updates are offered in 23 languages for all affected versions of the software simultaneously. "Microsoft cannot provide similar assurance for independent third-party security updates," the company added.

Jesper Johansson, a senior security strategist in the Security Technology Unit at Microsoft, warned that the "unknown risk of issues with an unofficial patch is pretty high."

In a blog entry, Johansson said enterprise IT administrators must carefully consider the risks involved before thinking of applying Guilfanovs hotfix. "The patch is an executable and has to be run on each vulnerable system, meaning cost of implementation is potentially very high. … Personally, I have not tested it, and I have no intention of using an unofficial patch at this time."

Johansson said a decision to use an unofficial patch should be driven by risk management. "If you have extremely high security requirements, you may want to go so far as using something as drastic as an unofficial patch. However, in that situation you are probably not willing to trust a third-party packaged patch anyway."

"The unknown risk of issues with an unofficial patch is pretty high. The cost of implementation ranges from low in a very managed environment, to very high in an unmanaged environment. If your risk and the cost of the attack is very high, then you may want to consider the unofficial patch, but I cannot in the best conscience recommend it right now," Johansson added.

Privately, Microsoft officials are furious that the issue was overblown, especially in the mainstream media where the WMF exploit is being compared to debilitating network worms like Blaster and Sasser.

Although the threat is legitimate and newer exploits are constantly being published, there is no remote unauthenticated attack vectors that could cause lead to a widespread worm attack. A successful WMF attack requires that the victim is lured to a malicious Web site, much like any other phishing of malware attack.

For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

"Although the issue is serious and malicious attacks are being attempted, Microsofts intelligence sources indicate that the scope of the attacks is not widespread. In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures," a spokesman said in a statement sent to eWEEK.

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.



  Reader Comments: Microsoft: Beware of Third-Party WMF Patch
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Windows Articles          >>> More By Ryan Naraine
 


x}r㶲s\@♵M"f4%X+eikRJEĘ"Hʗ'ˮO7$|LIlK@7F;;~$rLH56%3E]"I͝{#(`(IFA)ڶ? }~mk4 u;;#|6%߽w *s#AA5%SjMACkf{FcWf2zʼn5m2 fE1;'E^PtuK%yHERȏm~O|׶Cַ8>v@ߨVAÙM,}!*{> J49ʏ@Oȟ;/ !XC~ꄣ4-ndd vu=yͰ*[KF1rz `Do&lwO DƑ4Ij@Kd!˃LJN`:rm3GΠڮSTH֢n̲a8guGgbGMҷG(&$g ?ƽQ IgKazOlˇ;)x ס"'eu]Gq3܅cg|uZrHUK&)} p==\'DL=:np,E]fؖqSth ͡u(~]rLη-gqoR΋;{c4??W*)Jۿ]HQPwÑ;7@QmIu]+iunES و&lXAZ|YkU[_l 6O{uHz>5tY01\]V+%ᇓeLhusL ,_edpBu6Cj ݖEB_*D\K$Z,n>@|ˤdL2TcCNjXӭZyoA{RĿ G/<@'L^X1p3Z&T23=XMHM3!RBʼ荦IK _^PB-)\D7+Ԝﲢ$ٛ"Gn;ž\RD3Al8{Ø&Q\qL.ãp9Q] +\M޲G+<י4Oۭǫ _.=mmXxX18*]ev`Z77jG~p*uU95lb(7ZdL,5,ϙR7X_AQlA`:~gC|>5F$!|Бd0mxqZ.3+ЍEXn`΀h`Nh1[ <]{ # 0fԟ7 ZLP#AтMz> T8C|2Z9ܹ ,& F5I#ˋưP6=xBe^~6}¢s݀§Pc-f`sD[ݲeǀx\9u%>w2Z}c%>C cRRR$S hI#r Bгl`@o%``[X a\.u"\M':݉;T>ڹJXO٣B Y/_2[3CCɴa6X9{DMfT`B[ᛥLKak Sn.Zc٦ByQY$&O\Yˊhu`HJ˖o9䐎3tua x 7O︐Æ[jk|{< 6Z|' [s{wDn+,o_>,>hQo¸G63ˀ%49*pPsg >`|= 0Xհ݅5p>r|I%/*8bp; y_.ŭp(mtgй+>q^uiԺ'~r4YkCQf/::A'~ޮLR_kҞY&9ފ993F]R^JOY$"6XRvӱl̥5Ӳ =CM*&Ÿz·05s?o\Re- cdҶ<ʚU5^y| [lD0(2( 鿙R&a;Bڨ\NaOcwAsm0Hw[O\618[xy %6$;~L sOѭ,h8)4jkzF of`׆K ؈ÜҵfsKw7MeI-ip.bd>j '[rShfl:lE>ZF_a՚NgJY)jL$'P/#[ݵ ;vm۽˧ sq,bjt-g @?pj^ FZ."f~q~029 >:fc~A+p&L>AkOYgȲNzJrEmx.)J%w)` N 2׋h :|#X& ,#E .2 ʠA4>\Rbr>+j*eT6)5*Im"Pˇ%1ʹ谣Xx}Sː 0gtWed->흧 IZ+j՘*Zj8;l 8Cet4? 9tc~y058_3ch9gRkJoCu >pɥKm+p)cZ$ c0ٙ"yl ėaG*ӕ~i?&} dA;y\S4Uud X 0(E{h0 qDGL ҀJ p LM{~i)?/n"pO,+YZD]Ie(~KkN$؃1>̌}PjVRK{9i`7mC[$ zTÈh;<qŁZ J' ~gH+:sD ü8 z30Jј80xnDN W8pL\'徴zL5L53z7PqX9ɏonjC?8 +~W)ɑ$ |͸ Db+C=^NN:+ކa>;o Fk$ ^W鶮>t.ė{+!9\cxޥhd'!Cupqu4)$yu1)6MF0S cn42l%zE @ NWY0z)B3ZKUc z A03hLف;kٿ+[Z\f·łB?jy0(@RPOh5[#N:m{k D fbT10_RJMQ/YIwL/QEQ):*9Q_a(kw?MJ!}J_cNfo4~ѶP2h,6fk\tDz{Nlp jwySrF4/_;{ jEާpZISB9oթ-HӆO|BA8pJj8݃d* eq#m1결tC%<1ONO锐'.ϓp|Njۓ$/IYO)eqjhd꒐~~(h&'ء Pق/['59<//t?l76"9@u\e0 `q0Å@P V- QגZ4\һo%˫\ )'Tzo3)WYQ;ozUbӽca8Ft]|x$Nd\;zZ1?m_8Z7t]ta_}|;tsF'u\;@&xCucJNj=95~@לπ(piE1S|&t_D(ЪQEk2'4(`ϝUkӮ" # ㇦;-QL#'=r}EZgQW$ =g7om\>eNx>IБZ=p>\007~wڻo ey$ C7+۝9nima85=$DhH^ݍd_"2NIJa'z+<~1o/@Xd1W.P2vI J `ȞxqC7׷b o_{~cI.~(TR-.o]VZtC.qB1&d/.%e j OK 1l,ۥ{H?v !bi4W;Tf{ls̷֘ '|ȞF8^jƣC ? *4hg`zS`gƅ=R3ោJ;oo7܍nL \M A;"J [<N>۴ r]CaC_PvpmU4"[y"N0&qFL|}rx|SqzL7V_N7\PGHr0ˋH'wC 5i0<NT JzSrL1ӏ4B#lc}-xRTU塺mCa-yI贫hNO{E1& j37T6Z&!:*PyBCe|]Z对f_|On,>[*}ZH/ŜmQ_OisYYfP@;$Dn Ap&"O!GH'a|JmY$iMY,r&|t\cJcM6I>6Hb Q F՞~7;~@TbuOЀ5$+]w2\Yw/ɉg/ܻv|8@.nZ[.Wk04RǤT9W+KdQ4L&W<ӾW.(2="7q%hX @HsΕ.ΊO56l>lsZ_EЭIBй]9#ݧ_#C]폑|5,lB43Iav-ϼ<;:νkI{;-f8e $%?^v۬7o(vj#35絙v=m@+=^tcW۰:pX]EY~q;OaY-1+ztҕBy kئK-µߴTHp*Cף6:̽KhLD0ƫJ ;JJYTjE=0g{5'4U0=j[|}v/ȕF5Kz'}ZrYXkO:Rgac< Pm¼DRlPx&OGd.$1'֔k3dw˘{/F\oX|I7"7 >BYs4cn7F}E_+% cDRw.rO0ឩTH TdL4B&(qTik$' .ycI 8^yNtX/e Hgdþ~> _F`p3W VjjU)OBӡRk]j9*<>ŻgA Umi VH+^@0Qw4tܽA#]{9>s3|$ wEZ&Gӻ G5}[8Zz]~>\/:B`%hT繾,gHFYm3;eAq*gM B*rKx5< /9%yx.jFyx#U6zUzuL6iBUp :ϏПxuw:^Xsr9ZOm|Ӧ?h Jc7 UN>Mo )n}>E Mj*^m; ?_AUvq 8Sރ^N9r hp)?Si}>?G(]~)4:坓BsS3r'g? ͟9埡sv9?ρ]3?]w}9}9vse"OP) r)By7"g~/@~.r"gz0^{z9_.?.s_洿>s ro/(WvG௏9 ?~rCk(+k:kKuAy+GZqz~?}sS^.4r\}׾ W[Ӝ:賊9;f/_+̡sTh3 Я#x|dnldҹ<$R; ]Q-=-;p]9h\l(^c/5ZG%/Ѥ]|EW4|Wyd˼$=)>w懤I]"&;JR˯-cEN4Z9.yQJxdR$dZ+mFDuL8QU|.yM`r 'GY+O(syXw[3;=yqU K ]<k x$> | #rӚCg1k'[*8 ߚ u8y$} VX&@Y$'S?ppW3@Ez:}KMH|3q 94l cG0_ʾUVjpwrŮ{c=bxsUUEVjro VQ*D`q9#Tx|F:e~iƫ9|#]}} .Le+zyמ;;&8,U``f\(| ˸ -FljEr؄wMKɱ/yBҷn`pbL=fG.^H"" Ⱦ(ty5C2D7 .sEF-_ \ ީn'`g-LƮex7^]6>bZƠ}/Lt5~n=ݜ ŷ~uzCQoaq<́PnlDk (~%6,wl SE=y fc>Hm\\wvnCkvܙexcm<~:"d` O,j&g.vFw~1k C$2C dl,3>/DFlKz=c-gq/)@>{`& /#dʗl,Mb(}y35Id`f:`78N 챧,Z/$l%׹d,36O]-On]{!ܿc S >1qV@>AՋpawFמඁ%!:`S n Q1 ,NN-Gw U|rp]˜1J1Д8ٶ2COA3t ZW-["@# O2OCZ34a)fzc< 9zng}74o֦J $u`7gշDg7~8_ZftGGm`ݍG:J$_)0t/@s^nT0~ r@c{"&\n\jӟfJ.ѩR@vbXby\3M|B p#Q*Ԯ^x9`]|ۺkAѾXmbd[t-K^FzL!Ҷ\)vcʕ.Sܟ?C[×a҇fHEwk^zeXտ$Psh݁G0^q7KV|@swS?0D\NXeN܌i#]Qa[:63DmEtAĠxm;=͙={02bcΜ63cb@O=f_qxC'>f:tg)C2^#s!?"Mnl^^kteÿ(fѰ0K;,luGG%RXrACb0A ;%brỲz3X cJ\gGۂ~<ՍK׶S<"Y4/"?P+xaplwnrlЌ/yc|>۳z0jPbyx ^ŗ$NSXx@t&Wnra]+ S SR||>o܉S,w1N[RI>Q}Yaܢ'c(NRqO\||8)>bod /=jD +(K- QwuN`XIC"ӳL~s Wi_`<[Wy &F{kn UhD;ydM^l+cSEᘸe#+Fs0v.b(6S2G4K_jJjxTɉaa-nǝl| n%56G\[ ͝SB&