Microsoft Buckles To Pressure, Releases WMF Patch Early - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Microsoft Buckles To Pressure, Releases WMF Patch Early

Facing mounting pressure for a patch to the Windows Meta File vulnerability, Microsoft issued a fix on Jan. 5, five days earlier than expected. Besides calming fears that attackers could use WMF images to execute malicious code on victims' PCs, Microsoft hoped to quell a controversy over the use of unauthorized patches with its software.

A piece of code written by Russian programmer Ilfak Guilfanov--and endorsed by some security experts--to protect computers against WMF exploits reached unprecedented popularity for a third-party fix. It also sparked controversy over whether users were better served waiting for Microsoft or trusting an unauthorized patch. The vulnerability stems from how attackers could use the Windows' graphics rendering engine that handles Windows Meta File images to launch malicious code on users' computers via these images. Microsoft acknowledged the vulnerability on Dec. 28 but said it wouldn't make a fix available until Jan. 10, which would have given hackers 13 days to get creative embedding attacks within WMF images. The bug spurred more than 200 exploits as of last week, according to security firm Sophos plc.

Microsoft issues emergency patches only under certain circumstances. It initially decided the WMF vulnerability wasn't an emergency: Its infection rate had stabilized and the risk of infection was ranked as low to moderate, according to Debby Fry Wilson, a director in Microsoft's security-response unit. But by Thursday, Microsoft completed and released a patch, forgoing its original plan to issue a fix on the second Tuesday of the month, in keeping with its regular schedule of security updates.

Third-party patches and workaround code aren't unheard of for Microsoft software vulnerabilities, but "this is the first time I can recall where there has been community endorsement of a third-party patch," Fry says of Guilfanov's work. "That's unusual." Guilfanov, senior developer with Belgian software maker DataRescue, is best known for writing the IDA Pro software that security specialists use to dissect viruses and malware. Another unofficial patch, by a programmer at antivirus vendor Eset Software, was available Jan. 5.

Windows Meta File Flaw Response

Dec. 28
Microsoft confirms a vulnerability that could let malicious code travel via images
Dec. 30
Russian programmer Ilfak Guilfanov releases code to work around the WMF vulnerability
Jan. 4
Microsoft warns users not to apply its early patch code accidentally released at security community site
Jan. 5
Microsoft issues official WMF patch five days earlier than planned

Risks Of Unauthorized Fixes
But debate over the wisdom of using Guilfanov's Hexblog code highlights the broader issue of unauthorized third-party fixes. Complications and potential risks that could result from using a stopgap patch convinced research firm Gartner to advise against Guilfanov's solution. The SANS Institute's Internet Storm Center and security research firm F-Secure Corp., however, recommended that users not wait for Microsoft's fix. They suggested unregistering a vulnerable Dynamic Link Library, or DLL, executable program module in Windows and applying Guilfanov's workaround program.

Even if that code worked perfectly, users have had to modify their Windows environments when deploying the patch and will have to uninstall it before applying Microsoft's fix. This creates several opportunities for something to go wrong, Gartner analyst John Pescatore says. Instead, Pescatore advised companies to ensure their URL-blocking capabilities were up to date and WMF files were blocked, and to expedite testing and deployment of Microsoft's patch.

Most businesses would prefer to use an official patch rather than trust third-party offerings, which could encourage phishing scams. At one financial-services company, WMF workarounds led to wasting "countless man-hours" on measures that mitigated risk to a lesser degree than a Microsoft patch would, says the assistant VP of IT security at the company. She adds, "If a third party can put out a stable patch, Microsoft should have been able to."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Pandemic Responses Make Room for More Data Opportunities
Jessica Davis, Senior Editor, Enterprise Apps,  5/4/2021
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Transformation, Disruption, and Gender Diversity in Tech
Joao-Pierre S. Ruth, Senior Writer,  5/6/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll