SANS Institute offers patch for Windows Metafile flaw

In an unusual move, the SANS Institute is recommending that Windows users apply a software patch created by a Russian researcher to prevent attackers from compromising Windows desktops through a software flaw Microsoft says it won’t fix for a week.

The so-called Windows Metafile (WMF) exploit allows an attacker to completely compromise a desktop by sending malicious code with a graphic or through a Web site that a victim visits. SANS Institute, a security organization whose division known as the Internet Storm Center monitors security threats, considered the risks associated with the WMF flaw so serious that it decided to make a software patch available for download after it learned that Microsoft won’t have its software patch ready until Jan. 10.

Microsoft, while acknowledging the IMF flaw, says Windows users should refrain from using other than Microsoft patches. However, Johannes Ullrich, chief research officer at SANS Institute, said to-date, there have been over 80,000 downloads of the SANS-recommended patch prepared by Russian researcher, Ilfak Guilfanov. In addition, SANS is assisting a number of large enterprises and state agencies that want to deploy the SANS-recommended patch to desktops throughout their organizations.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In an unusual move, the SANS Institute is recommending that Windows users apply a software patch created by a Russian researcher to prevent attackers from compromising Windows desktops through a software flaw Microsoft says it won’t fix for a week.

The so-called Windows Metafile (WMF) exploit allows an attacker to completely compromise a desktop by sending malicious code with a graphic or through a Web site that a victim visits. SANS Institute, a security organization whose division known as the Internet Storm Center monitors security threats, considered the risks associated with the WMF flaw so serious that it decided to make a software patch available for download after it learned that Microsoft won’t have its software patch ready until Jan. 10.

Microsoft, while acknowledging the IMF flaw, says Windows users should refrain from using other than Microsoft patches. However, Johannes Ullrich, chief research officer at SANS Institute, said to-date, there have been over 80,000 downloads of the SANS-recommended patch prepared by Russian researcher, Ilfak Guilfanov. In addition, SANS is assisting a number of large enterprises and state agencies that want to deploy the SANS-recommended patch to desktops throughout their organizations.

“We would rather Microsoft be doing this patch,” said Ullrich. But with Microsoft unprepared to release a fix immediately, SANS Institute felt the evidence of a growing number of IMF-related compromises of desktops warranted the unusual step of SANS recommending a patch on its own.

In a bulletin, Microsoft confirmed that an attack based on the IMF exploit started on Dec. 28, but its software fix is still being tested.

Desktop users that suffered the effects of the IMF exploit describe it as a devastating experience to find their desktop computers completely taken over by an attacker.

“When it hit, the screen suddenly said, ‘Congratulations, you’re infected!’” said Brad Dinerman, vice president of information technology at MIS Alliance, a professional services outsourcing firm in Newton, Mass. It was clear that the computer running XP was no longer in his control.

“It had root access, it wouldn’t let me log off or do anything,” Dinerman said. He said he ended up having to re-build the machine from scratch. He noted that his machine had been up-to-date in terms of software patches, anti-virus and anti-spyware software.

While Dinerman said he hoped Microsoft would speed up a fix to prevent the IMF exploit, he added he wasn’t entirely comfortable with the idea of applying the patch recommended by SANS or any supplier other than Microsoft. “It raises concerns about testing,” says Dinerman.

Ullrich said SANS Institute fully tested the software patch it is recommending, which can be found at its Web site http://www.sans.org. He added that the exploit has so many variants that anti-virus firms are having a difficult time keeping up with the exploit’s changes in attack code. Applying a software patch directly to Windows XP or Windows 2000, for which SANS has available patches, is the best method to prevent the IMF-related exploit, he concluded.