A high-profile group of computer security professionals scattered around the globe has created a third-party patch for the critical VML vulnerability as part of a broader effort to provide an emergency response system for zero-day malware attacks.
The group, known as ZERT (Zero Day Emergency Response Team), was formed in the aftermath of the WMF (Windows Metafile) attacks of December 2005 and is now emerging from stealth mode with an unofficial patch that offers temporary respite from a spate of drive-by malware downloads aimed at users of Microsofts Internet Explorer browser.
The patch, which was created and tested by a roster of reverse engineering gurus and virus research experts, is available from the ZERT Web site for Windows 2000 SP4, Windows XP (SP1 and SP2), Windows Server 2003 (SP1 and R2 inclusive).
"Something has to be done about Microsofts patching cycle. In some ways, it works. But, in other ways, it fails us," says Joe Stewart, a senior security researcher with SecureWorks, in Atlanta.
"It is clear that we are dealing with an underground group of people who are writing exploits for profits. They are waiting for Patch Tuesday to pass, then it becomes Exploit Wednesday. Were seeing these zero-days in the wild, timed precisely to guarantee at least an entire month to spread," Stewart said in an interview with eWEEK.
Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches.
Other volunteers involved with the ZERT initiative include Halvar Flake, CEO and head of research at Sabre Security; Ilfak Guilfanov, author of the IDA Pro binary analysis tool; Paul Vixie, founder of the ISC (Internet Software Consortium; Roger Thompson, chief technology officer of Exploit Prevention Labs; and Florian Weimer, a German computer expert specializing in Linux and DNS (Domain Name System) security..
Gadi Evron, an Internet security operations specialist well-known in botnet-hunting circles, is operations manager for ZERT. Nick FitzGerald, former editor of Virus Bulletin, is serving as liaison between the group and the anti-virus community while Dan Hubbard, senior director of security and technology research at Websense Security Labs, is volunteering technical assistance during zero-day outbreaks.
Hank Nussbacher, an Internet consultant specializing in Cisco IOS, routing design and threat analysis, is serving as go-between for ZERT and FIRST, an international forum for incident response and security teams.
"Whenever theres a vulnerability in the wild that is critical enough to threaten the health of the Internet, we want to have a mechanism to respond immediately. We cant afford to sit around and wait a month for a vendor [to release a patch]," Evron said in an interview.
Evron, who works as a security evangelist for Beyond Security, in Netanya, Israel, said ZERT volunteers have worked "literally around-the-clock" in coordination with several Internet operational security and incident response groups to create and perform quality-assurance testing on the VML patch."Were not here to replace [software] vendors. The idea is to provide quick, immediate response to threats when we determine that a zero-day threat is posing a serious risk to the public and the infrastructure of the Internet. Were saying, heres a temporary patch that we tested and were confident will help mitigate the risk. We cant guarantee it is fit for every environment, but were offering it as an option," Evron added.
Microsoft has historically frowned on the idea of third-parties providing security fixes. At the height of the WMF exploits earlier this year, the company slapped a "buyer-beware" tag on an unofficial hotfix created and released by Guilfanov, and although its own fix for the latest VML bug is scheduled for delivery on Oct. 10—more than two weeks away—the companys stance hasnt changed.
"[We] carefully review and test security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. Microsoft cannot provide similar assurance for independent third-party security updates or mitigations," a Microsoft spokesperson said in a statement sent to eWEEK. "Customers should obtain security updates and guidance from the original software vendor," it added.
Evron acknowledged that its impossible for ZERT to test its patches with every possible system configuration and in every usage scenario. "We [will] validate patches to the best of our ability, noting the environments in which the tests were performed and the test results. Were not pretending to be the official patch, were simply offering an alternative during high-risk incidents," he added.
He said the nonprofit group will prepare and release emergency patches for any affected vendor if an incident escalates to become a major threat. "We have the expertise to create patches for non-Microsoft related issues, such as network gear and other operating systems," Evron explained.
The source code for all of ZERTs unofficial fixes will be released along with the testing methodologies used during the patch preparation. Any known reduction in functionality as a result of the patch will be noted along with instructions to install or remove the updates.
The group will update the patch if a conflict, instability or vulnerability is discovered in it, and Evron said all ZERT updates will include a complete rollback option. The patches will be provided in GUI and command-prompt versions, he said.
When the official, vendor-supplied update is eventually released, ZERT will withdraw its patch.
The VML patch being released Sept. 22 was the combined effort of SecureWorks Stewart; Israeli programmer and reverse engineering enthusiast Gil Dabah; Michael Hale Ligh, a vulnerability researcher and computer forensics expert; and a batch of volunteer testers around the world.
Dabah said he started working on the patch on Sept. 19, just hours after the first wave of zero-day VML attacks started dumping a massive collection of bots, Trojan downloaders, spyware and rootkits on Windows machines.
"Its been about 19 hours of work, almost nonstop. It may be easy to build a patch, but testing is a lot of work. There are just too many versions of Windows," he said with a laugh.
Stewart, who wrote a version of the patch and submitted it to the group for consideration, said the creation of the actual fix is "very straightforward."
The challenge, he says, lies in figuring out how to deploy it in a robust fashion, for several different operating system versions and service pack levels.
The group did not coordinate its response with Microsoft and Stewart stressed that the aim is not to serve as a replacement for the software vendor. "Our goal is to get Microsoft to realize that there is a demand out there for an emergency patch. Were not looking for [Windows] users to prefer us over Microsoft. Were simply offering an alternative in a crisis," Stewart added.
"Microsoft needs to start paying attention and recognize that theres a need for an out-of-band patch. Its somewhat irresponsible to tell customers to wait two weeks for Patch Tuesday while computers are being hosed with malware," he declared.