COLUMN

Security Blog Wire: Plenty of opinions on WMF patching

By Bill Brenner 06 Jan 2006 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

--------------------------------------------------------------------------------------------------------

Nobody disputes the threat Microsoft's Windows Meta File flaw poses to enterprise networks. The digital underground has already exploited it on a massive scale. U.K.-based AV firm Sophos, for example, says it has seen hundreds of attempted attacks through e-mail, instant messaging and Web browsing. In all likelihood, that's why the software giant reversed its decision and released the patch on Jan. 5, rather than Jan. 10, when its monthly slate of "Patch Tuesday" fixes is scheduled to debut.

But did the danger justify company-wide deployments of third-party patches before the Redmond, Wash.-based Microsoft released its official fix? That's the question security bloggers grappled with this week.

Some said Windows users should have faith in Microsoft's efforts to produce a tried and tested fix in time for its monthly security update, and that mass deploying unofficial patches is foolhardy in any event. Others -- including major security vendors like Helsinki-based F-Secure Corp. -- took the unusual step of endorsing an unofficial fix Russian programmer Ilfak Guilfanov made available in his blog. Others argued that only individual IT managers can determine what's best for their network.

Worth the risk
F-Secure AV Research Director Mikko Hypponen explained the endorsement of a third-party fix in the company's daily lab blog. "Ilfak Guilfanov has published a temporary fix, which does not remove any functionality from the system (all pictures and thumbnails continue to work normally)," he said. "Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world." A description of IDA Pro is available in this .pdf file.

Adrian Kingsley-Hughes, a British-based technical consultant and author, argued in favor of the third-party fix in his PC Doctor blog."I've just been asked (again) if I recommend the unofficial WMF patch that Ilfak Guilfanov released for the WMF exploit a few days ago," he said. "YES!!! Forget the nonsense from Microsoft on this and get protected. Plenty of eyes have examined the patch (including my own) and the consensus it that it offers protection and nothing more. Get protected until an official patch is released! Don't wait! Do it now!"

On the fence
Those who were in the middle included Costin Raiu, head of research and development for the Romanian division of Russian AV firm Kaspersky Lab. After an alleged beta of Microsoft's WMF patch started making the rounds this week, he wrote in the firm's Analyst Diary blog that "you should never use a patch from an untrusted source, no matter how promising it looks… you should always be very wary of any third-party patch from an untrusted source, whether it's claiming to fix an old vulnerability or the latest WMF vulnerability. This is a method which has successfully been used in the past to distribute malware."

That philosophy didn't stop him from jumping on the Guilfanov bandwagon, however. "Ilfak's patch is the only one we can recommend… [he] knows what he's doing, and the work he's put into developing the patch is admirable," Raiu said.

An insane option?
Those who were more skeptical of the third-party option include Windows Small Business Server (SBS) expert Susan Bradley. She wrote in her E-Bitz SBS blog that those who install unofficial fixes like Guilfanov's should "test this sucker and understand that you have possibly put this in an unsupported position."

She said IT shops have to decide for themselves what the best choice is, and that administrators shouldn't rush to deploy third-party patches just because entities like F-Secure and the Bethesda, Md.-based SANS Internet Storm Center recommend it.

About Bill Brenner Bill, SearchSecurity.com's Senior News Writer, has more than a decade of journalism experience. He has worked as a reporter and editor, starting as a writer for Community Newspaper Company, then as an editor at The Eagle-Tribune, the daily newspaper of Massachusetts' Merrimack Valley region. If you have a security news tip or story idea for bill, contact him at bbrenner@techtarget.com.

"I find it insane that folks are wanting untested patches on their systems, both in the form of a third-party patch or in the form of an untested Microsoft patch," she said. "F-Secure doesn't understand my network, my risk tolerance [or] my lab apps any more than Microsoft does. So if I do my own risk analysis and don't always follow Microsoft's advice, why should I follow anyone else's?"

Test, test and test some more
Whether they are for or against using third-party fixes, security bloggers agree that IT shops should test patches thoroughly before deploying them company-wide. Todd Towles, a network systems analyst at a medium-sized, Southeastern-based retail chain, said this in his Thoughts of a Technocrat blog:

"Administrators should NEVER push patches to large groups of computers without extensive and proper testing. This goes for ANY program (fix, patch, new program, update, upgrade, workarounds - whatever). Home-grown or official."

He added that most large companies have multiple defense systems and can reduce the WMF threat without taking the third-party patch option. "Network and security professionals may want the extra protection of applying IIfak's patch," Towles said. "Go ahead [and] use it. All my home computers have it and my work laptop, but with multiple defense layers in place here at the office, I don't see a huge need to push it out like it's MS03-039."

Microsoft released MS03-039 in September 2003 to fix a critical flaw in the Remote Procedure Call portmapper, which directs traffic for different services using RPC. Towles said that flaw, which was heavily exploited, was worse than the WMF glitch.

Trust us
Not surprisingly, the Microsoft Security Response Center, the software giant's vulnerability management and resolution team, used its blog to urge patience and warn against the use of third-party patches. Response Center operations manager Mike Reavey stressed that the company is doing everything in its power to get a patch out quickly.

"The update has been on an expedited track since Microsoft became aware of the attacks on Dec. 27th," he said. "We still anticipate releasing the security fix for this issue on Jan. 10, 2006, once testing for quality and application compatibility is complete."

The race to develop a fix "includes redirecting resources from other security development and testing efforts to primarily focus around the clock on producing and releasing the WMF security update," he assured users.

Tags: Security Industry Market Trends, Predictions and Forecasts,  Security Patch Management,  Information Security Policies, Procedures and Guidelines,  Malware, Viruses, Trojans and Spyware,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts M86 buys Web security gateway vendor Finjan Information Security Decisions 2009: Presentation downloads Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers McAfee survey finds faults in midmarket enterprise security Email archiving vendor sues Gartner over Magic Quadrant Information Security magazine October issue PDF Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry Information Security magazine Security 7 Award winners Security Squad: Privacy gone awry Security Industry Market Trends, Predictions and Forecasts Research Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates? Information Security Policies, Procedures and Guidelines Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Expert: Information security spending often restricts innovation GAO report cites government weaknesses, data leakage

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary