Corporations were advised by security experts on Tuesday to use an
unofficial patch to combat the latest Microsoft Windows Metafile (WMF) exploit.Both antivirus vendor F-Secure and volunteer security group the Internet Storm Center urged businesses to use the unofficial patch, as Microsoft has so far failed to offer an authorised patch to address the problem.
Microsoft, though, has advised businesses not to use third-party updates, even though its own patch won't be available until next Tuesday.
As reported last week, the WMF vulnerability can be exploited by Trojan horse malware to compromise a PC — by installing spyware on it or by turning it into part of a botnet.
Mikko Hypponen, director of antivirus research at F-Secure, said that he believes corporations can trust the unofficial patch, developed by security software developer Ilfak Guilfanov.
"This is a very unusual situation — we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly sucessful," said Hypponen.
The Internet Storm Center admitted that many businesses would be very reluctant to deploy an unofficial patch on their systems, but insisted that such drastic action is needed.
"We've received many emails from people saying that no-one in a corporate environment will find using an unofficial patch acceptable," said Tom Liston of the Internet Storm Center, in his blog. "Acceptable or not, folks, you have to trust someone in this situation."
Systems administrators can also work around the problem by unregistering a file called shimgvw.dll.
"The very best response that our collective wisdom can create is contained in this advice — unregister shimgvw.dll and use the unofficial patch," said Liston.
A Microsoft spokeswomen advised businesses to wait for a week, as the software giant can't guarantee third party updates would be effective.
"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006. Microsoft cannot provide assurance for independent third party security updates," she said.
Security experts say the WMF exploit is potentially very dangerous as conventional antivirus software and IDS signatures do not recognise the malicious code in email spam, as the exploit is sent in seemingly normal JPEG, GIF, or Bitmap files.
Hackers are increasingly using a wider variety of techniques to penetrate corporate defences with attacks launched through different vectors including spam, IM worms, and defaced and fake Web sites. Users need only visit a compromised or fake Web site to be attacked.
Click here to see Microsoft's security advisory about the WMF flaw.
Talkback
Un-official patches can be considered helpfull. But for some reason-or-another I did not find any reference to the source-code, of the patch, only an "click this executable (which will install <whatever> onto your computer), and you will be safe" promiss.
In what way is this un-disclosed patch beter that any closed-source "solution" MS can deliver ?
In other words : closed-source is "bad", but we should trust a closed-source patch from an un-known source ?
Maybe I'm just paranoid, but there is *NO WAY* that I'm going to install that on the computer I'm working on.
which would you consider more trustworthy:
a.) a patch from someone with lots of references, including vendors of anti-virus software?
b.) a worm embedded in a .jpg file?
i can understand why you're skiddish about this, but i'm more worried about what could happen in the next week when hackers have an open door.
I went to the download site and received this message:-
"Account for domain hexblog.com has been suspended"
Has the bandwidth been exceeded or has it been taken down by MS or other?
Does anybody know an alternate site, if so please post. Thanks
Go here
http://tinyurl.com/cos3x
or here
http://tinyurl.com/8stt5
for the patch
Maybe it's me or something, and I am a little paranoid, But to accept a supposed third-party patch, for a virus is kinda crazy. What if the patch is the cause of the virus, I mean, we can't trust Microsoft in the first place, but it's better than trusting a third-party sometimes. How many times have you downloaded a third-party plugin or extra and don't they always warn you? How do we know it's not the same thing this time? How do we know it won't cause the virus and that's it's just some guys making crap up? But that's me. I'm a paranoid psycho, So you don't have to listen to me.
Don't be so hard on your self. You are not a psycho. We all know that. But you are spreading FUD. Fear, uncertainty and doubt. At the end of the day, you have to choose who you trust, and trust those that they trust. I would trust those that makes the effort to protect me, not those that only tells me what is suppose to be good for me without making the effort.
I am not an expert but I took the advice written and downloaded the unofficial patch. After installing it and following all instructions regarding unregistering a dll. etc I found that I could no longer access ANY of my jpegs. I could not do anything with them at all. Lucky that I set a restore point before I installed it or I would have been in trouble. Looks to me that this was tested about as much as an XP service pack !
In the end whether you install the patch or not, this is all about trust, and risk assesmsnt. Do you trust the prople who are reccomending you install the patch. Are you prepared to risk the consequences of your decision?
I've told my mother, my wife and all my friends to install this, walked my folks through the install in simple easy to understand terms.
I trust F-secure, even though I use Symantec AV. I read the ISC handlers dairy every day so I'm willing to trust them with this, they've earned that much.
Our CERT, (I work for an international agency) is telling people who maintain thier own coproprate PC's to install the patch.
I know who I trust, do you?
John L.
>After installing it and following all instructions
>regarding unregistering a dll. etc I found that I could
>no longer access ANY of my jpegs.
This is by design, this is what the Microsoft part of the workaround is actually supposed to do.
I draw your attention to the penultimate paragraph of the article you are replying to:
>Security experts say the WMF exploit is potentially
>very dangerous as conventional antivirus
>software and IDS signatures do not recognise the
>malicious code in email spam, as the exploit is
>sent in seemingly normal JPEG, GIF, or Bitmap
>files.
This means that untill either Microsoft release a patch, or the exploit is foiled, any graphical image format supported by the dll you just unregistered is potentially a virus risk.
Any image file, any you view with a web browser, or recieve through the mail. Including those spam images you didn't ask for, are all potential plague rats.
That's how big this problem has the potential of being.
This page:
http://isc.sans.org/diary.php
Is advising Organisations to think about disconnecting from the internet. Switching off all web and email traffic. This has the potential to be a lot more serious that not being able to view a few jpegs.
To John L and others.
Windows paint and third party software still work - to view your own safe images.
It is only the the actual windows mechanisms which are affected by the unofficial patch - to protect your system from unauthorised malicious activity.
The unofficial patch is fully reversible and must be unistalled before installing MS patch when issued and confirmed effective. Shimgvw.dll should also be re-registered if you have unregistered it (run regsvr32.exe C:\windows\system32\shimgvw.dll).
It is only one personal opinion but---the patch may well be a good one,was one of the first to get it,utilize it.However,what it does is completely block off all your photos,digital photos etc,so I re-registered the dll the next day.This patch,I suspect,is more for large corporations,large computer networks,work stations etc and not so much for home-users.I have found that rather than un-register this dll,taking advantage of Windows OneCare program offers quite a good protection from the WMF problem.My thanks for the opportunity to respond.