Firms urged to use unofficial Windows patch

Experts are advising corporations to use an unofficial patch to combat the latest Microsoft Windows Meta File exploit.

Antivirus vendor F-Secure and the Internet Storm Center, a volunteer security group, separately urged businesses on Tuesday to use the unofficial patch, as Microsoft has not yet offered an authorized fix for the problem.

Microsoft, though, has advised businesses not to use third-party updates, even though its own patch won't be available until next Tuesday.

The WMF vulnerability can be exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said.

Mikko Hypponen, director of antivirus research at F-Secure, said he believes corporations can trust the unofficial patch, which was created by security software developer Ilfak Guilfanov.

"This is a very unusual situation--we've never done this before. We trust Ilfak, and we know his patch works," Hypponen said. "We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful."

The Internet Storm Center admitted that many businesses would be very reluctant to deploy an unofficial patch on their systems, but insisted that such action is needed.

"We've received many e-mails from people saying that no one in a corporate environment will find using an unofficial patch acceptable," Tom Liston of the Internet Storm Center said in his blog. "Acceptable or not, folks, you have to trust someone in this situation."

Related story
Windows flaw spawns dozens of attacks

Attacks designed to exploit WMF flaw range from malicious spam to MSN Messenger worm.

Systems administrators can also work around the problem by unregistering a file called "shimgvw.dll".

"The very best response that our collective wisdom can create is contained in this advice--unregister shimgvw.dll and use the unofficial patch," Liston said.

A Microsoft representative advised businesses to wait for a week, as the software giant can't guarantee third-party updates will be effective.

"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on Jan. 10, 2006. Microsoft cannot provide assurance for independent third-party security updates," the representative said.

Security experts say the WMF exploit is potentially dangerous because conventional antivirus software and IDS (Intrusion Detection System) signatures do not recognize the malicious code in spam, as the exploit is sent in seemingly normal JPEG, GIF or bitmap files.

Hackers are increasingly using a wider variety of techniques to penetrate corporate defenses with attacks launched through different methods including spam, IM worms, and defaced and fake Web sites. Computer users need only visit a compromised or fake Web site to be attacked.

Click here to see Microsoft's security advisory about the WMF flaw.

Tom Espiner of ZDNet UK reported from London.

[Orion Blastar]

Microsoft once again is too slow to apply updates

to fix security issues. We need more third party patches for the huge gaping security holes in the Microsoft operating systems.

If Microsoft won't fix them, or create patches fast enough, then third parties ought to be able to release patches for those of us who want secure systems without waiting for them. By the time Microsoft releases the fix, the worm will have already infected a lot of systems on the Internet. Which makes as much sense as closing the barn doors after the horses ran out. Close them before the horses run out.

[Mister C]

Giving the people what they want!

They, as in M$

[jmanico]

Defense-in-Depth

I built my own uber-security procedure for WMF risk mitigation. Check it out! http://www.manico.net/wmf_alert.html