Experts Clash Over Third-Party Windows Metafile Patch

zero-day exploits

While some security experts urged users Wednesday to apply an unsanctioned, third-party patch to block the growing number of attacks against the Windows Metafile (WMF) bug, others -- Microsoft included -- said that was a very bad idea.

The controversy swirls around whether to apply a hotfix created by Ilfak Guilfanov, a reverse-engineering guru best known for his Interactive Disassembler Pro (IDA) software. Guilfanov's patch, which is hosted on several sites, blocks WMF exploits by setting gdi32.dll's Escape() function so that it ignores any call using the SETABORTPROC parameter.

Microsoft's own patch, the Redmond, Wash.-based developer said Tuesday, is scheduled to post on Windows Update Jan. 10. It's the days between now and then, some say, that's worrisome enough to justify adding an unofficial fix.

On one side stand a pair of well-known security organizations -- SANS Institute's Internet Storm Center (ISC), and Helsinki-based security company F-Secure -- that have been among the most active in researching the WMF vulnerability and tracking its exploits.

id
unit-1659132512259
type
Sponsored post

The Guilfanov hotfix has been blessed by both.

"Install the patch," said Mikko Hypponen, F-Secure's chief research officer. "We've tested and audited it and can recommend it. We're running it on all of our own Windows machines."

The ISC was just as direct. "Our current 'best practice' recommendation is to both unregister the DLL and to use the unofficial patch," wrote Johannes Ullrich, chief research officer of the ISC, in a blog entry on the group's site.

Scott Fendley, another analyst at the Storm Center, put it a different way. "What would be the cost to your company if you are compromised between now and January 10? Can you really afford to do nothing? Are you willing to gamble that unregistering the dll is sufficient or do you go with defense in depth and apply the unofficial patch?"

Most other security experts, however, recommended a more conservative tack.

"You need to decide yourself on this one," said Graham Cluley, a senior technology consultant for U.K.-based Sophos. "The vulnerability is a serious problem -- we've seen over 200 different exploits -- but I don't think this is a time to panic."

Jonah Paransky, a senior manager with Symantec's security response team, gave even clearer advice. "There's a significant risk to putting a third-party patch on enterprise systems," he said. "In our view, it's a move of last resort." Rather than rely on the unsanctioned hotfix, said Cluley and Paransky, corporate IT would be better served by making sure that anti-virus and other perimeter defenses are up to date and working.

"The real risk here isn't an immediate exploit, but the long term threat posed by a vulnerable core system that impacts so many systems," said Paransky, referring to the fact that the vulnerability affects virtually all versions of Windows.

Research firm Gartner seconded the wait-for-Microsoft strategy. "It really does take a lot of testing to make sure that a patch doesn't cause some sort of self-inflected wound," said John Pescatore, a Gartner research director, and one of the company's security experts. "If you're an enterprise IT administrator, and there's this potential threat, and then you deploy this unofficial patch and you bring down your corporate system yourself…" he added.

"Microsoft has a patch coming out Jan. 10, that's what, six days away? So you'll install this patch, then uninstall it, then install Microsoft's? That's three chances that things could go wrong," said Pescatore.

As a rule of thumb, Microsoft never recommends third-party updates; this isn't an exception.

"It's just best practice to only use patches from the vendor," said Debby Fry Wilson, a director at Microsoft's Security Research Center (MSRC). "Customers should use the security update we'll provide Jan. 10. That's a better option than a third-party patch."

Wilson and her colleague, Kevin Kean, another MSRC director, ticked off the reasons why enterprises should steer clear of unofficial fixes. "We can only put our assurances behind our own patch," said Wilson. "We offer free support, it will have gone through our testing, and it will be released simultaneously in 23 languages in all versions of Windows."

"And there's always the chance that a third-party patch could itself contain security holes," warned Kean, although he said he was speaking in general terms, not specifically about Guilfanov's patch.

"We're on schedule to release [our patch] Jan. 10," confirmed Wilson. "But if the situation in the wild changes, and the data and analysis we have on the rate of spread [of exploits] changes from what we know today, we would release it out-of-cycle."