• United States



Pre-release Microsoft Patch for WMF Flaw Leaked

Jan 05, 20065 mins
CSO and CISOData and Information Security

A pre-release version of a Microsoft Corp. patch being developed to fix the recently disclosed Windows WMF flaw was “briefly and inadvertently” posted on a security Web site, the company confirmed this morning.

A spokeswoman for Microsoft refused to give further details on what exactly happened or on what site the pre-release patch was posted. But in a brief update to an earlier advisory on the WMF flaw, Microsoft noted that posting of the beta patch on the Internet has resulted in “some discussion and pointers on subsequent sites to the pre-release update.”

[View more Windows WMF vulnerability coverage] “Microsoft recommends that customers disregard the postings,” the company said.

The latest development comes as users and analysts appear to be divided on whether it’s a good idea to install an already available third-party patch to fix the Windows WMF vulnerability or to wait for Microsoft Corp.’s official fix, which isn’t slated to be released until Jan. 10.

The unofficial patch — developed by Belgian programmer Ilfak Guilfanov — works by disabling a DLL in Windows and has been available for download on Guilfanov’s Web site at for the past few days.

The influential SANS Internet Storm Center (ISC)) and security vendor F-Secure Corp. are among the organizations that have been advising users to download Guilfanov’s patch to mitigate the risk caused by the WMF flaw rather than waiting for Microsoft’s patch. SANS has made the patch available for download on its Web site and says that more than 120,000 downloads have already been made. F-Secure is another company that says it has tested and audited the patch, and is recommending that users download it to protect themselves against WMF exploits. “We’re running it on all of our own Windows machines,” the company said in a blog on its Web site.

This is the first time that SANS has recommended such a course of action and it underscores the severity of the risk posed to companies by the WMF flaw, said Johannes Ullrich, chief technology officer at the Bethesda, Md.-based ISC.

Even though Microsoft has suggested several work-arounds for the problem, “there is no effective mitigation against this vulnerability,” Ullrich said. “It is not like you can disable a function or close a service to protect yourself” without a patch, Ullrich said.

What makes matters worse is that exploits for this vulnerability now exist, as are hacker tools designed to help such exploits sneak past anti-virus and other intrusion prevention defenses, he said. “It’s a threat that’s real and is being exploited, and there is no good defense against it,” Ullrich said.

Even so, several users and analysts said that companies should avoid any unsupported or unofficial patch. That’s because such third-party patches are unlikely to have been fully tested for quality and application-compatibility issues and could cause unforeseen problems down the road, they said.

“To use the old colloquialism, we are damned if we do and damned if we don’t” install the third-party patch, said Matt Kesner, chief technology officer at Palo Alto, Calif.-based law firm Fenwick & West LLP. “We have looked at Microsoft’s work-arounds and they don’t seem to be adequate if media and security blog reports are true,” he said.

At the same time, the law firm is extremely reluctant to install the third-party patch on production servers — even though it is testing it on a few virtual servers, Kesner said. “We frankly don’t know quite what to do.”

Waiting for Microsoft’s patch could mean leaving the law firm exposed to exploits targeting the WMF vulnerability. But installing a third-party patch on Microsoft servers could result in unforeseen consequences and raise potential support issues with Microsoft in case of a future problem, he said.

Tom Robertson, senior vice president of IT at Charter Bank in Bellevue, Wash., said his firm is making all the appropriate updates to its antivirus, antispam and content filters as well as its network intrusion protection systems while it waits for Microsoft’s updates. But “we are unlikely to implement any third-party Windows patches,” he said.

“It is never a good idea to deploy an untested third-party patch. It’s an invitation for bigger problems,” said Andrew Plato president of Anitian Enterprise Security, a systems integration and consulting firm in Beaverton. Ore. “The WMF exploit is bad, but no worse than a hundred other exploits, many of which remain undisclosed,” he said.

Russ Cooper, editor of the NTBugtraq mailing list and a senior scientist at Cybertrust Inc. in Herndon, Va., is another security analyst who said its better for companies to avoid downloading third-party patches. “It’s certainly not a good recommendation, in our opinion, to all of a sudden start recommending code of this nature,” Cooper said. “At the very least, it has not undergone the quality scrutiny and testing that Microsoft’s patch will have. So, we think it is a bad suggestion.”

By Jaikumar Vijayan – Computerworld (US online)