Nobody disputes the threat Microsoft's Windows Meta File flaw poses to enterprise networks. The digital underground has already exploited it on a massive scale. U.K.-based AV firm Sophos, for example, says it has seen hundreds of attempted attacks through e-mail, instant messaging and Web browsing. In all likelihood, that's why the software giant reversed its decision and released the patch on Jan. 5, rather than Jan. 10, when its monthly slate of "Patch Tuesday" fixes is scheduled to debut.
But did the danger justify company-wide deployments of third-party patches before the Redmond, Wash.-based Microsoft released its official fix? That's the question security bloggers grappled with this week.
Some said Windows users should have faith in Microsoft's efforts to produce a tried and tested fix in time for its monthly security update, and that mass deploying unofficial patches is foolhardy in any event. Others -- including major security vendors like Helsinki-based F-Secure Corp. -- took the unusual step of endorsing an unofficial fix Russian programmer Ilfak Guilfanov made available in his blog. Others argued that only individual IT managers can determine what's best for their network.
Worth the risk
F-Secure AV Research Director Mikko Hypponen explained the endorsement of a third-party fix in the company's daily lab blog. "Ilfak Guilfanov has published a temporary fix, which does not remove any functionality from the system (all pictures and thumbnails continue to work normally)," he said. "Now, we wouldn't normally blog about a security patch that is not coming from the original vendor. But Ilfak Guilfanov isn't just anybody. He's the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world." A description of IDA Pro is available in this .pdf file.
Adrian Kingsley-Hughes, a British-based technical consultant and author, argued in favor of the third-party fix in his PC Doctor blog."I've just been asked (again) if I recommend the unofficial WMF patch that Ilfak Guilfanov released for the WMF exploit a few days ago," he said. "YES!!! Forget the nonsense from Microsoft on this and get protected. Plenty of eyes have examined the patch (including my own) and the consensus it that it offers protection and nothing more. Get protected until an official patch is released! Don't wait! Do it now!"
On the fence
Those who were in the middle included Costin Raiu, head of research and development for the Romanian division of Russian AV firm Kaspersky Lab. After an alleged beta of Microsoft's WMF patch started making the rounds this week, he wrote in the firm's Analyst Diary blog that "you should never use a patch from an untrusted source, no matter how promising it looks… you should always be very wary of any third-party patch from an untrusted source, whether it's claiming to fix an old vulnerability or the latest WMF vulnerability. This is a method which has successfully been used in the past to distribute malware."
That philosophy didn't stop him from jumping on the Guilfanov bandwagon, however. "Ilfak's patch is the only one we can recommend… [he] knows what he's doing, and the work he's put into developing the patch is admirable," Raiu said.
An insane option?
Those who were more skeptical of the third-party option include Windows Small Business Server (SBS) expert Susan Bradley. She wrote in her E-Bitz SBS blog that those who install unofficial fixes like Guilfanov's should "test this sucker and understand that you have possibly put this in an unsupported position."
She said IT shops have to decide for themselves what the best choice is, and that administrators shouldn't rush to deploy third-party patches just because entities like F-Secure and the Bethesda, Md.-based SANS Internet Storm Center recommend it.
Test, test and test some more
Whether they are for or against using third-party fixes, security bloggers agree that IT shops should test patches thoroughly before deploying them company-wide. Todd Towles, a network systems analyst at a medium-sized, Southeastern-based retail chain, said this in his Thoughts of a Technocrat blog:
"Administrators should NEVER push patches to large groups of computers without extensive and proper testing. This goes for ANY program (fix, patch, new program, update, upgrade, workarounds - whatever). Home-grown or official."
He added that most large companies have multiple defense systems and can reduce the WMF threat without taking the third-party patch option. "Network and security professionals may want the extra protection of applying IIfak's patch," Towles said. "Go ahead [and] use it. All my home computers have it and my work laptop, but with multiple defense layers in place here at the office, I don't see a huge need to push it out like it's MS03-039."
Microsoft released MS03-039 in September 2003 to fix a critical flaw in the Remote Procedure Call portmapper, which directs traffic for different services using RPC. Towles said that flaw, which was heavily exploited, was worse than the WMF glitch.
Not surprisingly, the Microsoft Security Response Center, the software giant's vulnerability management and resolution team, used its blog to urge patience and warn against the use of third-party patches. Response Center operations manager Mike Reavey stressed that the company is doing everything in its power to get a patch out quickly.
"The update has been on an expedited track since Microsoft became aware of the attacks on Dec. 27th," he said. "We still anticipate releasing the security fix for this issue on Jan. 10, 2006, once testing for quality and application compatibility is complete."
The race to develop a fix "includes redirecting resources from other security development and testing efforts to primarily focus around the clock on producing and releasing the WMF security update," he assured users.
This article originally appeared on SearchSecurity.com.