Newsmaker: Beating Microsoft to the punch

Ilfak Guilfanov is far from a household name.

But that may soon change as the Russian software developer's unauthorized Microsoft security patch is increasingly installed onto computers worldwide.

In a rare move, security experts at the SANS Institute's Internet Storm Center and at F-Secure are advising people to download Guilfanov's patch, which aims to fix a flaw in the Windows Meta File.

This vulnerability has spawned a torrent of exploits that seek to take advantage of the wait while Microsoft works on its own patch. The software company has said it will release a WMF patch on Jan. 10, as part of its monthly security update cycle. That would come 14 days after the flaw was first publicly disclosed.

People eager to download the unofficial patch inundated Guilfanov's personal Web site, which had to be temporarily shut down as a result. He has since reduced his home page to its bare minimum.

In this case, Guilfanov, a senior developer at DataRescue in Liege, Belgium, has gained the trust of security companies, which usually are reluctant to suggest that customers use a patch from someone other than the original maker of the software.

On Tuesday, Guilfanov, who lives in Belgium, explained to CNET News.com in an e-mail interview why he came up with his own answer to the Windows problem.

Q: Not many people may be familiar with Ilfak Guilfanov. Why should millions of people who are affected by the Windows Meta File flaw trust your unofficial patch?

Guilfanov: It is quite a difficult question to answer.

Maybe because security professionals and three-letter agencies are already using my (IDA Pro) program? IDA Pro is used to analyze all malware (malicious software) and viruses today. People are free not to trust my fix, but they are already depending on IDA Pro to get precise analysis of binary programs today.

Maybe because I do not hide anything and put the source code in front of everyone's eyes? The fix comes with full source code--everyone can check how it works and make their own decision. Knowledgeable people, like guys from SANS, have checked and approved it.

Maybe because of the reputation of the company where I work, DataRescue? Most security companies use our product, (and) are familiar with us and our practices. I'm not surprised that most of them trust me. I cannot speak for DataRescue, of course, but this is my feeling.

In short, I do not have a simple answer to your question.

Have you developed other unofficial patches in the past that were recommended by security vendors?

Guilfanov: It is the first time I have created such a patch. It is the first time the vulnerability has been really bad and dangerous. It scared me.

I created the fix for me and my friends. But when I put it online, I realized that it is going to be a big thing.

Did you have contact with Microsoft prior to publishing the unofficial patch?

Guilfanov: No.

Why did you decide not to do that? Did you determine there would be nothing to gain from such a move?

Guilfanov: Well, I posted it to my blog to display one possible solution to the problem. I published the source code of the fix so that everyone could verify how it works. I saw this as a technical issue and did not think that Microsoft would need my advice.

While SANS Internet Storm Center and F-Secure are recommending your patch, it has spawned some debate on security mailing list Full-Disclosure. What do you say to the skeptics who say your patch can affect certain functionality in Windows?

Guilfanov: As far as I know, the fix does not break any practically used functionality in Windows. The problem with the vulnerability is that the very functionality my fix revokes is the culprit.

Fixing the vulnerability without revoking it is really difficult, if not impossible.

There is also a sense of division among those who want Microsoft to deliver the update now, as opposed to waiting until its monthly patch release on Jan. 10. What do you think Microsoft should do?

Guilfanov: I think Microsoft should develop a patch, (and) test and release it. And I believe that this is exactly what they are doing.

Why do you think your unofficial patch has been so popular with users?
I cannot tell for sure, but most likely because of my reputation as the author of IDA Pro disassembler...Second, the fix comes with the source code. This makes much easier to verify it--this is what exactly happened at the SANS Institute. The experts confirmed that the fix does exactly what it is supposed to do and approved it.

Finally, what are your personal views on recommending unofficial patches? When are these appropriate to use, and under what circumstances?

Guilfanov: They should be taken with caution. I personally would not trust a closed-source fix coming from a third party. That's why I published the source code from the start.

I would recommend users to install the fix, but please test it before deploying it in large corporate networks and take a responsible approach. I believe all patches, official or not, should be tested on a small scale before deployment in large corporate networks.

 

More Newsmakers

[n3td3v]

An unofficial patch is as damaging as flaw

Heres a link from me to you, since Cnet have written so many articles on the WMF flaw over the last few hours. Here what I have to say on the matter. Let me say this, the world's security experts are making grave mistakes for the future by recommending third party patches, ITS IRRESPONSIBLE to the highest degree. Its the HACKERS downloading the patch and making your site busy.... http://news.com.com/5208-1002-0.html?forumID=1&threadID=12822&messageID=99631&start=-1&reply=true

[JoeF2]

So, what's your agenda?

I see several posts from you against this patch.
Are you one of the "hackers" (crackers is the right word, btw) who likes to exploit the hole?
Somebody pseudonymous who rails against some of the best security experts... quite preposterous...
Leaves me just one conclusion: you are a script kiddie, eh?

[Zymurgist]

3rd party patches irresponsible?

You have to be kidding! They are de rigeur in
the Windows world -- just ask Symantec.

There's nothing inherently wrong with 3rd party
patches. They typically come out faster, include
a very concise and thorough description of what
the patch does, and provide the source code and
list of affected files for inspection.
Historically, they have also proven more
effective and less likely to interfere with the
regular function of a system than vendor
patches.

Traditionally, 3rd party patches have been the
primary source of software fixes. Early on, it
was generally the user base that fixed software
(and often sent the fixes back to the vendor).
Today, many companies use products unsupported
by the vendor (Windows 98, for example) or where
the original vendor has folded -- 3rd party
patches are the only option. In the F/OSS
software environment, they are part of the
natural evolution of an application (and
typically provided in source form minutes after
creation and in binary form within 24 hours).

No. Keep up the 3rd party patches -- especially
when they fix serious problems as of yet
addressed by the vendor or responsible party.

[Jerics]

Grateful, Thank You Ilfak

Third-party. Ilfak is not just any third-party.
http://www.hexblog.com/about.html
Patches, plural? Was there another one? If there was, no one seems to have known about it.
Unprecedented? Yes. The security companies knew who provided the "unofficial patch" they were suggesting. For pete's sake, they are more than likely using his software. This was not just any "third-party".

I among thousands of others are most grateful for Ilfak's help. Thank you Ilfak!

[n3td3v]

Hackers are loving this, WELL DONE SANS, F-SECURE, CNET, others

Hackers must be really enjoying this. You're making sure the internet falls straight down a deep black hole where everyone starts trying third party files. Hackers get patches before the majority of consumers, and hacker bot nets are secured. Lets not even bring up the countless phishing attacks that are going to come off this. Hackers use these early patches as a tool to secure computers they compromised, so other hackers can't get near. This is the single most biggest industry to date to start recommending patches by third party developers. Its opening up a pandora's box for the future. This isn't the way we should be start 2006, this is very bad news. CNET, SANS, F-SECURE will be held responsible by me in the future on the public mailing lists when my fears are proven.

[Zymurgist]

Silly.

The patch isn't particularly meaningful for
black hats. An already compromised system won't
be cured by applying a patch, and black hats
know the majority of hosts will never apply the
patch (or those that other known
vulnerabilities).

If a black hat secures a machine against further
attack, that's of benefit to the end user, but
in practice probably never happens, after all,
what would they care if a machine is part of
multiple bot nets? And how is using a
third-party patch any different than using a
vendor patch against the same flaw, with respect
to informing a black hat about the nature of the
problem? From their stand-point, the Microsoft
patch is equally informative and equally
effective -- the only difference is the time of
release.

Really, is it more logical to patch a
vulnerability immediately, or permit an effected
system to remain on the network and open to
compromise for an indefinite period to await
sign-off by the appropriate manager?

[JoeF2]

Hackers like you?

Obviously, script kiddies don't like it when their playground gets closed early...

[masterdv]

'read about the December Lawsuits' ?

Its ironic to see that advertisement...

Why don't people start some January lawsuits because of the economic damage that these holes in security are causing?

If Microsoft started getting sued for problems like this, boy would they work hard to ensure there are few problems.

[n3td3v]

Far from it

All my comments are infact anti-hacker

[JoeF2]

Then you should welcome this patch

If you are indeed "anti-hacker" (which should be "anti-cracker", anyway), then you should recommend this patch.
Anything that makes hijacking other computers harder is good, by definition.
Anybody who doesn't like a patch for Windows just because it doesn't come from MS has to be questioned about his motive.
I don't care where a patch comes from, as long as I see less hijacked machines, and less spam and viruses routed through them.

[n3td3v]

Re: whats my agenda

My agenda is to bring to light when mistakes are being made. I'm not a hacker, nor a script kid. I'm simply a security researcher watching whats going on and pointing out when mistakes are being made. Take care, n3td3v

[n3td3v]

Re: Then you should welcome this patch

Welcome a patch the majority of the Windows world won't get? Welcome a patch the majority of Windows consumers don't know about? Welcome a patch thats infact being used against the idealology of the reason the patch is released? Hackers are using the patch as part of their attack vector against machines. Its the hackers downloading this patch and making the site go down through high traffic. Trust me your average Windows user isn't even aware theres a WMF flaw or what WMF stands for. Welcome a patch which means theres going to be future attacks based on two anti virus vendors recommending a third party file? Yeah, sounds good. IF you can't see the consequences of this, then gee, go away.

blah blah blah

just shutup. it's done. I'm glad he did it and so are a lot of sysadmins. Jan 10 is still a long way away.

[JoeF2]

And you want to be a "security expert"???LOL

Anybody who uses the "excuse" that the majority of Windows consumers don't know about the patch is, quite frankly, an idiot.
The majority of Windows users don't know about Windows Update, either.
Any "security expert" who uses the term "hacker" to describe the bad guys is anything but an expert.
And the "excuse" that the bad guys can use the patch in their attack is also completely irrelevant. They don't need somebody else's sources. Script kiddies, who can't write their own code, could in principle, but they are not even smart enough to understand the code.

I can see the consequences of this patch just fine. They are good ones, computers secured.
You are the one who obviously is afraid of that. In other words, you are a script kiddie who wants the computers be vulnerable. Thanks for exposing yourself.
Oh, and your "l33t" handle is also an indication for that. Grow up.

[Nicco]

Who doesn't know about what ?

you wrote: "Welcome a patch the majority of Windows consumers
don't know about?"
Well, I can only speak for my country (Belgium). This WMF problem
was a headline in yesterday evening news on national TV (and
included interviews with experts). Even my 78 year old mother
knows about it ! So don't claim people are ignorant.

[ScullyB]

N3tt4rd

JA wrote: "Welcome a patch the majority of the Windows world won't get?" Uhm, that's most patches.

JA wrote: "Hackers are using the patch as part of their attack vector against machines." They already use Microsoft patches for that.......so, what's your point?

JA wrote: "IF you can't see the consequences of this, then gee, go away." Nobody sees the consequences as being any different with a third party as it is with Microsoft releasing a patch. As for going away, you've been banished from full-disclosure already, you should think about doing the same, to yourself, here. This has nothing to do with XSS so ****....k.

Microsoft should offer patches sooner

Microsoft should offer patches sooner to people who do not want to wait and once a month via the automated windows update service for others who do not care for frequent updates.

This shows that if Microsoft does not deliver others will.

[n3td3v]

One thing you should take note of

Is the time of year this has all happened. I think the people who discovered the flaw planned it just at the right time, to cause maximum disruption to Microsoft, and to catch them out. Look between the lines of whats really going on.

[rcrusoe]

Thanks Ilfak!

I learned of your patch from Steve Gibson, www.grc.com, on the
Security Now podcast with Leo Laporte. After hearing that he
had tested your patch and reviewed your source code (which you
published) I immediately downloaded the patch and tested it on
a couple of systems. 24 hours later it was on all our company
computers.

Everyone knows that Windows is not a secure OS, so MS should
just fix problems AS THEY OCCUR! Microsoft's reputation is not
more important than their customers security.

[wired2006]

WMF Patch

I applied the unofficial patch, but I think there is still a problem within Windows and Symantec NIS 2005. Even after the patch and scans I have one "daily" spam that tries to take over the system. Just trying to delete the spam activates the takover attempt. The Symantec connection log entries were deleted remotely, thus hiding the connections. I have been able to capture a few IP address and they have all been through Akamai Technologies IP addresses. There is something more going on that has not been found yet. NAV and other virus scans are not detecting the remote or backdoor access.

[thedreaming]

The problem with unofficial patches

The problem with unofficial patches is simple. They are unofficial. You never trully know if it'll work 100% for your system.

Besides, it's microsoft's job to fix their software and they are aware of the problem and they are going to patch it, but they just want to include it into their monthly patching cycle and in the age of instant gratification, everyone wants it now.

You either wait patiently for the official patch or use the unoffical one or just don't use the net until tuesday.

[JoeF2]

The same with "official" patches

There are a lot of people and companies who haven't installed XP Service Pack 2, because of the large number of programs the SP breaks.

Furthermore, MS is releasing the patch today, ahead of their monthly patch cycle...

[techguy83]

lots of thoughts on this issue

It seems that anyone who cautions against using the unofficial patch is a MS troll or a cracker/hacker/virus writer.

The unofficial patch can cause problems on a system. It is not a guaranteed fix for this issue. But, for those who are willing to risk their system's integrity on this, go ahead and do so.

I'll be patient and wait for the patch that is official and probably wont hurt my windows system at home.

I'll just have to be more cautious in what I do online, as if I wasn't cautious enough already ;)

[JoeF2]

Neither is the official patch a guarantee

Case in point: XP SP2. That causes so much trouble that a sizeable number of people and companies are not installing it.

And you apparently don't understand the severity of this flaw. Just viewing a WMF file, which may even be disguised as JPEG, infects your machine. So, just using IE to browse is dangerous. Better not use the Net at all until the official patch is out, then...