Confusion over whose patch to use for Windows flaw

Out-Law News | 04 Jan 2006 | 9:19 am | 1 min. read

Conflicting advice is being offered to Windows users over the latest software vulnerability to be revealed. Microsoft is urging users to wait for an approved patch to be released, but some security experts say that a third-party patch should be used right away.

They believe that the vulnerability – relating to the Windows Metafiles (WMF), code that allows users to view image files – is so serious that it outweighs the risk of using an unauthorised patch.

The vulnerability came to light in late December, when it was revealed that computers using almost all versions of the Windows operating system could be infected simply by visiting web pages containing exploits designed to take advantage of the flaw.

Examples of such exploits have already been found, leading to an alert from the US Computer Emergency Readiness Team (US-CERT) on 28th December. But the flaw is as yet unpatched.

Microsoft confirmed yesterday that it had completed the development of a security update to fix the vulnerability but that this was now in the testing process. Microsoft expects to release the update on 10th January.

“Although the issue is serious and the attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks is limited. In addition, attacks exploiting the WMF vulnerability are being effectively mitigated by anti-virus companies with up-to-date signatures,” said Microsoft.

The company urged users to take care not to visit unfamiliar or untrusted websites that could potentially host the malicious code, and to keep their anti-virus protections up to date.

But in the eyes of some in the online security field, action needs to be taken now.

Researchers at the SANS Institute – a leading source for information security training and certification – have called for users to make use of an unofficial patch developed by Ilfak Guilfanov, an expert in reverse engineering. Their call has been echoed by security firm F-Secure.

"This is a very unusual situation – we've never done this before,” Mikko Hypponen, F-Secure’s antivirus research director told ZDNet UK. “We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same.”

In response, Microsoft warned that “As a general rule, it is a best practice to utilise security updates for software vulnerabilities from the original vendor of the software.”

This takes advantage of the review and testing process carried out to ensure that updates are of high quality and have application compatibility.

“Microsoft cannot provide similar assurance for independent third party security updates,” said Microsoft.