Ilfak Guilfanov is far from a household name.
But that may soon change as the Russian software developer's unauthorised Microsoft security patch is increasingly installed onto computers worldwide.
In a rare move, security experts at the SANS Institute's Internet Storm Center and at F-Secure are advising people to download Guilfanov's patch, which aims to fix a flaw in the Windows Meta File.
This vulnerability has spawned a torrent of exploits that seek to take advantage of the wait while Microsoft works on its own patch. The software company has said it will release a WMF patch on 10 January, as part of its monthly security update cycle. That would come 14 days after the flaw was first publicly disclosed.
People eager to download the unofficial patch inundated Guilfanov's personal Web site, which had to be temporarily shut down as a result. He has since reduced his home page to its bare minimum.
In this case, Guilfanov, a senior developer at DataRescue in Liege, Belgium, has gained the trust of security companies, which usually are reluctant to suggest that customers use a patch from someone other than the original maker of the software.
On Tuesday, Guilfanov, who lives in Belgium, explained to CNET News.com in an email interview why he came up with his own answer to the Windows problem.
Q: Not many people may be familiar with Ilfak Guilfanov. Why
should millions of people who are affected by the Windows Meta File
flaw trust your unofficial patch?
It is quite a difficult question to answer.
Maybe because security professionals and three-letter agencies are already using my program? IDA Pro is used to analyse all malware and viruses today. People are free not to trust my fix, but they are already depending on IDA Pro to get precise analysis of binary programs today.
Maybe because I do not hide anything and put the source code in front of everyone's eyes? The fix comes with full source code — everyone can check how it works and make their own decision. Knowledgeable people, like guys from SANS, have checked and approved it.
Maybe because of the reputation of the company where I work, DataRescue? Most security companies use our product, [and] are familiar with us and our practices. I'm not surprised that most of them trust me. I cannot speak for DataRescue, of course, but this is my feeling.
In short, I do not have a simple answer to your question.
Have you developed other unofficial patches in the past that were recommended by security vendors?
It is the first time I have created such a patch. It is the first time
the vulnerability has been really bad and dangerous. It scared me.
I created the fix for me and my friends. But when I put it online, I realised that it is going to be a big thing.
Did you have contact with Microsoft prior to publishing the unofficial patch?
No.
Why did you decide not to do that? Did you determine there would be nothing to gain from such a move?
Well, I posted it to my blog to display one possible solution to the
problem. I published the source code of the fix so that everyone could
verify how it works. I saw this as a technical issue and did not think
that Microsoft would need my advice.
While SANS Internet Storm Center and F-Secure are recommending
your patch, it has spawned some debate on security mailing list
Full-Disclosure. What do you say to the sceptics who say your patch can
affect certain functionality in Windows?
As far as I know, the fix does not break any practically used
functionality in Windows. The problem with the vulnerability is that
the very functionality my fix revokes is the culprit.
Fixing the vulnerability without revoking it is really difficult, if not impossible.
There is also a sense of division among those who want Microsoft
to deliver the update now, as opposed to waiting until its monthly
patch release on 10 January. What do you think Microsoft should do?
I think Microsoft should develop a patch, [and] test and release it. And I believe that this is exactly what they are doing.
Why do you think your unofficial patch has been so popular with users?
I cannot tell for sure, but most likely because of my reputation as the
author of IDA Pro disassembler... Second, the fix comes with the source
code. This makes much easier to verify it — this is what exactly
happened at the SANS Institute. The experts confirmed that the fix does
exactly what it is supposed to do and approved it.
Finally, what are your personal views on recommending unofficial
patches? When are these appropriate to use, and under what
circumstances?
They should be taken with caution. I personally would not trust a
closed-source fix coming from a third party. That's why I published the
source code from the start.
I would recommend users to install the fix, but please test it before deploying it in large corporate networks and take a responsible approach. I believe all patches, official or not, should be tested on a small scale before deployment in large corporate networks.
