COLUMN

Security Blog Wire: Plenty of opinions on WMF patching

By Bill Brenner 06 Jan 2006 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

--------------------------------------------------------------------------------------------------------

Nobody disputes the threat Microsoft's Windows Meta File flaw poses to enterprise networks. The digital underground has already exploited it on a massive scale. U.K.-based AV firm Sophos, for example, says it has seen hundreds of attempted attacks through e-mail, instant messaging and Web browsing. In all likelihood, that's why the software giant reversed its decision and released the patch on Jan. 5, rather than Jan. 10, when its monthly slate of "Patch Tuesday" fixes is scheduled to debut.

But did the danger justify company-wide deployments of third-party patches before the Redmond, Wash.-based Microsoft released its official fix? That's the question security bloggers grappled with this week.

Some said Windows users should have faith in Microsoft's efforts to produce a tried and tested fix in time for its monthly security update, and that mass deploying unofficial patches is foolhardy in any event. Others -- including major security vendors like Helsinki-based F-Secure Corp. -- took the unusual step of endorsing an unofficial fix Russian programmer Ilfak Guilfanov made available in his blog. Others argued that only individual IT managers can determine what's best for their network.

Worth the risk
F-Secure AV Research Director Mikko Hypponen explained the endorsement of a third-party fix in the company's daily lab blog. "Ilfak Guilfanov has published a temporary fix, which does not remove any functionality from the system (all pictures and thumbnails continue to work normally)," he said. "Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world." A description of IDA Pro is available in this .pdf file.

Adrian Kingsley-Hughes, a British-based technical consultant and author, argued in favor of the third-party fix in his PC Doctor blog."I've just been asked (again) if I recommend the unofficial WMF patch that Ilfak Guilfanov released for the WMF exploit a few days ago," he said. "YES!!! Forget the nonsense from Microsoft on this and get protected. Plenty of eyes have examined the patch (including my own) and the consensus it that it offers protection and nothing more. Get protected until an official patch is released! Don't wait! Do it now!"

On the fence
Those who were in the middle included Costin Raiu, head of research and development for the Romanian division of Russian AV firm Kaspersky Lab. After an alleged beta of Microsoft's WMF patch started making the rounds this week, he wrote in the firm's Analyst Diary blog that "you should never use a patch from an untrusted source, no matter how promising it looks… you should always be very wary of any third-party patch from an untrusted source, whether it's claiming to fix an old vulnerability or the latest WMF vulnerability. This is a method which has successfully been used in the past to distribute malware."

That philosophy didn't stop him from jumping on the Guilfanov bandwagon, however. "Ilfak's patch is the only one we can recommend… [he] knows what he's doing, and the work he's put into developing the patch is admirable," Raiu said.

An insane option?
Those who were more skeptical of the third-party option include Windows Small Business Server (SBS) expert Susan Bradley. She wrote in her E-Bitz SBS blog that those who install unofficial fixes like Guilfanov's should "test this sucker and understand that you have possibly put this in an unsupported position."

She said IT shops have to decide for themselves what the best choice is, and that administrators shouldn't rush to deploy third-party patches just because entities like F-Secure and the Bethesda, Md.-based SANS Internet Storm Center recommend it.

About Bill Brenner Bill, SearchSecurity.com's Senior News Writer, has more than a decade of journalism experience. He has worked as a reporter and editor, starting as a writer for Community Newspaper Company, then as an editor at The Eagle-Tribune, the daily newspaper of Massachusetts' Merrimack Valley region. If you have a security news tip or story idea for bill, contact him at bbrenner@techtarget.com.

"I find it insane that folks are wanting untested patches on their systems, both in the form of a third-party patch or in the form of an untested Microsoft patch," she said. "F-Secure doesn't understand my network, my risk tolerance [or] my lab apps any more than Microsoft does. So if I do my own risk analysis and don't always follow Microsoft's advice, why should I follow anyone else's?"

Test, test and test some more
Whether they are for or against using third-party fixes, security bloggers agree that IT shops should test patches thoroughly before deploying them company-wide. Todd Towles, a network systems analyst at a medium-sized, Southeastern-based retail chain, said this in his Thoughts of a Technocrat blog:

"Administrators should NEVER push patches to large groups of computers without extensive and proper testing. This goes for ANY program (fix, patch, new program, update, upgrade, workarounds - whatever). Home-grown or official."

He added that most large companies have multiple defense systems and can reduce the WMF threat without taking the third-party patch option. "Network and security professionals may want the extra protection of applying IIfak's patch," Towles said. "Go ahead [and] use it. All my home computers have it and my work laptop, but with multiple defense layers in place here at the office, I don't see a huge need to push it out like it's MS03-039."

Microsoft released MS03-039 in September 2003 to fix a critical flaw in the Remote Procedure Call portmapper, which directs traffic for different services using RPC. Towles said that flaw, which was heavily exploited, was worse than the WMF glitch.

Trust us
Not surprisingly, the Microsoft Security Response Center, the software giant's vulnerability management and resolution team, used its blog to urge patience and warn against the use of third-party patches. Response Center operations manager Mike Reavey stressed that the company is doing everything in its power to get a patch out quickly.

"The update has been on an expedited track since Microsoft became aware of the attacks on Dec. 27th," he said. "We still anticipate releasing the security fix for this issue on Jan. 10, 2006, once testing for quality and application compatibility is complete."

The race to develop a fix "includes redirecting resources from other security development and testing efforts to primarily focus around the clock on producing and releasing the WMF security update," he assured users.

Tags: Security Industry Market Trends, Predictions and Forecasts,  Security Patch Management,  Information Security Policies, Procedures and Guidelines,  Malware, Viruses, Trojans and Spyware,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts Cybersecurity czar candidate questions clout of new position Gartner sees better days ahead for security budgets Sophos CEO on Symantec, McAfee after Utimaco acquisition WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Security budgets take hit in media, tech industry, survey finds Cybersecurity Act of 2009: Power grab, or necessary step? Opinion: Gartner gets NAC wrong, again Cloud computing security group releases report outlining trouble areas White House cybersecurity advisor calls for public-private cooperation Security Industry Market Trends, Predictions and Forecasts Research Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Information Security Policies, Procedures and Guidelines Twitter risks, Facebook threats trouble security pros Cybersecurity czar candidate questions clout of new position Incident response planning The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence DHS fills National Cybersecurity Center post New partnerships, creative thinking help security bust recession Experts optimistic of Obama cybersecurity plan

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary