Microsoft Corp. has slapped a buyer beware tag on a third-party patch for the zero-day Windows Metafile flaw and promised that its own properly tested update will almost certainly ship Jan. 10.
The companys latest guidance comes days after an unofficial hotfix from reverse-engineering guru Ilfak Guilfanov got rare blessings from experts at the SANS ISC (Internet Storm Center) and anti-virus vendor F-Secure Corp.
Guilfanov, author of the IDA (Interactive Disassembler Pro), released an executable that revokes the "SETABORT" escape sequence that is the crux of the problem. The hotfix was tested and approved for use by many security experts, but Microsoft says it cannot vouch for the quality of the fix.
"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006," the company said in an updated advisory.
Microsoft said its own patch has already been developed and is going through a rigid round of quality assurance testing. "The security update is now being localized and tested to ensure quality and application compatibility." Last-minute glitches in the patch testing process could still delay the update.
As a general rule, the Redmond, Wash., company never recommends third-party updates. Ever since attackers started exploiting the bug to push malware on vulnerable Windows systems (XP SP2 included), the company has thrown all its security resources into the investigation and patch-creation process, making it virtually impossible to validate the third-party code.
Without a full test pass, its impossible for Microsoft to know what impact the third-party change might have on applications mandated in regulated industries or in-house applications. In addition, Microsoft said its Patch Day updates are offered in 23 languages for all affected versions of the software simultaneously. "Microsoft cannot provide similar assurance for independent third-party security updates," the company added.
Jesper Johansson, a senior security strategist in the Security Technology Unit at Microsoft, warned that the "unknown risk of issues with an unofficial patch is pretty high."
In a blog entry, Johansson said enterprise IT administrators must carefully consider the risks involved before thinking of applying Guilfanovs hotfix. "The patch is an executable and has to be run on each vulnerable system, meaning cost of implementation is potentially very high. … Personally, I have not tested it, and I have no intention of using an unofficial patch at this time."
Johansson said a decision to use an unofficial patch should be driven by risk management. "If you have extremely high security requirements, you may want to go so far as using something as drastic as an unofficial patch. However, in that situation you are probably not willing to trust a third-party packaged patch anyway."
"The unknown risk of issues with an unofficial patch is pretty high. The cost of implementation ranges from low in a very managed environment, to very high in an unmanaged environment. If your risk and the cost of the attack is very high, then you may want to consider the unofficial patch, but I cannot in the best conscience recommend it right now," Johansson added.
Privately, Microsoft officials are furious that the issue was overblown, especially in the mainstream media where the WMF exploit is being compared to debilitating network worms like Blaster and Sasser.
Although the threat is legitimate and newer exploits are constantly being published, there is no remote unauthenticated attack vectors that could cause lead to a widespread worm attack. A successful WMF attack requires that the victim is lured to a malicious Web site, much like any other phishing of malware attack.
"Although the issue is serious and malicious attacks are being attempted, Microsofts intelligence sources indicate that the scope of the attacks is not widespread. In addition, anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being effectively mitigated through up-to-date signatures," a spokesman said in a statement sent to eWEEK.