Any patch in a storm? The debate rages anew

As network professionals scramble to repel a series of exploits that target a hole in the Windows Metafile image-rendering engine – a vulnerability some say Microsoft was tardy addressing – disagreement is flaring again over the wisdom of applying unauthorized patches as a stopgap in such situations.

“In this case, Microsoft is taking too long,” says Johannes Ullrich, chief research officer at the SANS Institute, which last week took the unusual step of issuing an emergency patch for WMF made by a Russian researcher, before Microsoft bowed to public pressure and released its own five days ahead of when it originally had promised. The SANS patch, which Ullrich says has been thoroughly tested, had been downloaded more than 80,000 times before Microsoft offered its version. Security vendor Eset also issued a patch.

What do you think? Discuss the Microsoft WMF exploit and patching in general in our forum.

Microsoft, which had urged customers to avoid third-party patch remedies, learned of the exploit Dec. 27 and originally said the earliest it could provide a patch would be this Tuesday, as part of the company’s monthly security release – a timetable that drew questions and criticism.

“On a zero-day exploit, it is kind of tough to move fast enough,” says Joe Wilcox, an analyst at Jupiter Research.

IBM acknowledged that Lotus Notes Versions 6 and higher also have the WMF flaw and advised its customers to wait for the Microsoft patch.

The WMF hole left Windows desktop users vulnerable to dozens of attacks carried out via malicious code embedded in Web sites and e-mail. Some WMF-related assaults blasted victims with the announcement “Congratulations, you’ve been infected!” and wholly ripped their machines out of their control, while others quietly seeded computers with spyware and adware.

The episode also added fuel to a long-running debate about third-party patches.

Ullrich says the SANS emergency patch was especially needed in this case because anti-virus software updates to combat the wide variety of WMF exploits were not keeping pace in terms of signature updates. Last week SANS was assisting corporations and government agencies in applying the emergency patch.

However, other experts express general misgivings about applying unauthorized patches.

“Accepting patches from anyone other than a vendor is a bad idea,” says John Pescatore, a Gartner analyst. “We have seen what happens when people believe they can get patches via e-mail or Web sites other than the vendor’s: phishing attacks spoof them and all hell breaks loose. The next volunteer patch is likely to be a rootkit.” He says using workarounds, such as restricting use of WMF and the Web for a limited time would be a “much better, safer way to go” than the risk of an unofficial patch.

Although 10 days to get a patch out may seem long to customers, it’s actually “very, very good,” Pescatore says. A business-quality patch typically takes at least 30 days, and 90 days is not out of the question, he says. Using a volunteer patch in the meantime only means you have to uninstall it when the vendor does produce one, he adds.

Amid all the debate over patching practices, users last week were being hurt by the WMF-based attacks.

Brad Dinerman, vice president of IT at MIS Alliance, a professional services outsourcing firm in Newton, Mass., says he had to completely rebuild his XP-based desktop after being hit by a WMF attack, even though his machine was up-to-date on anti-virus and Windows patches.

Nevertheless, Dinerman says he’s reluctant to add an unauthorized software patch. “It raises concerns about testing,” he says.

Matthew Bailey, LAN engineer for CSK Auto, which owns auto parts stores, says he would have considered using the SANS patch if WMF-based attacks had been more widespread. Instead, he waited for the Microsoft patch. “My opinion is they need the time to get it right. From past experience, a flawed patch is worse than the actual bug,” he says.