Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Newsmaker: Beating Microsoft to the punch ~ Russian authors patch for WMF flaw
CNET ^ | January 4, 2006, 12:45 PM PST | Dawn Kawamoto Staff Writer, CNET News.com

Posted on 01/05/2006 3:10:21 PM PST by Ernest_at_the_Beach

See all Newsmakers

Ilfak Guilfanov is far from a household name.

But that may soon change as the Russian software developer's unauthorized Microsoft security patch is increasingly installed onto computers worldwide.

In a rare move, security experts at the SANS Institute's Internet Storm Center and at F-Secure are advising people to download Guilfanov's patch, which aims to fix a flaw in the Windows Meta File.

This vulnerability has spawned a torrent of exploits that seek to take advantage of the wait while Microsoft works on its own patch. The software company has said it will release a WMF patch on Jan. 10, as part of its monthly security update cycle. That would come 14 days after the flaw was first publicly disclosed.

People eager to download the unofficial patch inundated Guilfanov's personal Web site, which had to be temporarily shut down as a result. He has since reduced his home page to its bare minimum.

In this case, Guilfanov, a senior developer at DataRescue in Liege, Belgium, has gained the trust of security companies, which usually are reluctant to suggest that customers use a patch from someone other than the original maker of the software.

On Tuesday, Guilfanov, who lives in Belgium, explained to CNET News.com in an e-mail interview why he came up with his own answer to the Windows problem.

Q: Not many people may be familiar with Ilfak Guilfanov. Why should millions of people who are affected by the Windows Meta File flaw trust your unofficial patch?

Guilfanov: It is quite a difficult question to answer.

Maybe because security professionals and three-letter agencies are already using my (IDA Pro) program? IDA Pro is used to analyze all malware (malicious software) and viruses today. People are free not to trust my fix, but they are already depending on IDA Pro to get precise analysis of binary programs today.

Maybe because I do not hide anything and put the source code in front of everyone's eyes? The fix comes with full source code--everyone can check how it works and make their own decision. Knowledgeable people, like guys from SANS, have checked and approved it.

Maybe because of the reputation of the company where I work, DataRescue? Most security companies use our product, (and) are familiar with us and our practices. I'm not surprised that most of them trust me. I cannot speak for DataRescue, of course, but this is my feeling.

In short, I do not have a simple answer to your question.

Have you developed other unofficial patches in the past that were recommended by security vendors?

Guilfanov: It is the first time I have created such a patch. It is the first time the vulnerability has been really bad and dangerous. It scared me.

I created the fix for me and my friends. But when I put it online, I realized that it is going to be a big thing.

Did you have contact with Microsoft prior to publishing the unofficial patch?

Guilfanov: No.

Why did you decide not to do that? Did you determine there would be nothing to gain from such a move?

Guilfanov: Well, I posted it to my blog to display one possible solution to the problem. I published the source code of the fix so that everyone could verify how it works. I saw this as a technical issue and did not think that Microsoft would need my advice.

While SANS Internet Storm Center and F-Secure are recommending your patch, it has spawned some debate on security mailing list Full-Disclosure. What do you say to the skeptics who say your patch can affect certain functionality in Windows?

Guilfanov: As far as I know, the fix does not break any practically used functionality in Windows. The problem with the vulnerability is that the very functionality my fix revokes is the culprit.

Fixing the vulnerability without revoking it is really difficult, if not impossible.

There is also a sense of division among those who want Microsoft to deliver the update now, as opposed to waiting until its monthly patch release on Jan. 10. What do you think Microsoft should do?

Guilfanov: I think Microsoft should develop a patch, (and) test and release it. And I believe that this is exactly what they are doing.

Why do you think your unofficial patch has been so popular with users?
I cannot tell for sure, but most likely because of my reputation as the author of IDA Pro disassembler...Second, the fix comes with the source code. This makes much easier to verify it--this is what exactly happened at the SANS Institute. The experts confirmed that the fix does exactly what it is supposed to do and approved it.

Finally, what are your personal views on recommending unofficial patches? When are these appropriate to use, and under what circumstances?

Guilfanov: They should be taken with caution. I personally would not trust a closed-source fix coming from a third party. That's why I published the source code from the start.

I would recommend users to install the fix, but please test it before deploying it in large corporate networks and take a responsible approach. I believe all patches, official or not, should be tested on a small scale before deployment in large corporate networks.

 


TOPICS: Business/Economy; Extended News; Foreign Affairs; News/Current Events; Technical
KEYWORDS: malware; microsoft; wmf
Navigation: use the links below to view more comments.
first 1-2021-22 next last

1 posted on 01/05/2006 3:10:24 PM PST by Ernest_at_the_Beach
[ Post Reply | Private Reply | View Replies]

To: ShadowAce
Of Course we now see that Microsoft has responded:

Microsoft pushes out Windows patch ahead of time

2 posted on 01/05/2006 3:12:28 PM PST by Ernest_at_the_Beach (History is soon Forgotten,)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

I just wonder if Microsoft engineers decompiled his solution, checked it (to the best of their ability), and started from there to build their own fix.


3 posted on 01/05/2006 3:13:38 PM PST by Petronski (I love Cyborg!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

It's real easy to make a patch when you don't have to test it against 100,000 different configurations, languages, and other applications for compatibility.


4 posted on 01/05/2006 3:16:29 PM PST by Dan Nunn (http://marklevinfan.com/Audio/WhyAreWeAtWar.wma)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Petronski

Don't know but it would have been smart....


5 posted on 01/05/2006 3:19:32 PM PST by Ernest_at_the_Beach (History is soon Forgotten,)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Dan Nunn

So what is your point?


6 posted on 01/05/2006 3:20:02 PM PST by Ernest_at_the_Beach (History is soon Forgotten,)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Ernest_at_the_Beach
I had that patch installed.

MS apparently didn't like taking the heat, so the got in gear. This today:

Windows Security Fix released for graphics rendering bug
  Posted by Cicero
On 01/05/2006 4:43:56 PM CST · 11 replies · 341+ views


Microsoft Update | 12/5/06 | Self
Microsoft has posted a security fix for the windows metafile bug, and it is available at the Windows Update site. I can't speak for earlier operating systems, but I have downloaded and installed it for Windows XP and Windows 2000. Because of the urgency, Microsoft released the fix early. Other updates will be available as usual next Tuesday at the Update site.

7 posted on 01/05/2006 3:21:23 PM PST by TomGuy
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach

Guilfanov's website got pounded. It still is being pounded.


8 posted on 01/05/2006 3:22:43 PM PST by TomGuy
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dan Nunn
From the article:

***************************************

Guilfanov: It is the first time I have created such a patch. It is the first time the vulnerability has been really bad and dangerous. It scared me.

I created the fix for me and my friends.

The headline writer of course wants to hype his article to attract eyeballs....

9 posted on 01/05/2006 3:23:16 PM PST by Ernest_at_the_Beach (History is soon Forgotten,)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Ernest_at_the_Beach

Here let me save the Mac/Linux crowd the time...

Aww just get a Mac or Linux and you will never get another virus, you will live forever, you will look great, birds will follow you chirping everyday etc

:) Just having some fun ;-)


10 posted on 01/05/2006 3:25:58 PM PST by Syntyr (Food for the NSA Line Eater -> "terrorist" "bomb" "plot" "kill" "overthrow" "coup de tas")
[ Post Reply | Private Reply | To 1 | View Replies]

To: Petronski
I just wonder if Microsoft engineers decompiled his solution, checked it (to the best of their ability), and started from there to build their own fix.

They wouldn't have to decompile it. He published the source code along with the patch.
11 posted on 01/05/2006 3:48:53 PM PST by NonLinear (He's dead, Jim)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Ernest_at_the_Beach

Security Update for Windows XP (KB912919) was released today, but those who installed the Russian's patch should remove it and reboot before applying the Microsoft patch.


12 posted on 01/05/2006 3:52:51 PM PST by TommyDale
[ Post Reply | Private Reply | To 1 | View Replies]

To: Ernest_at_the_Beach
Security Update for Windows XP (KB912919)

A remote code execution security issue has been identified in the Graphics Rendering Engine that could allow an attacker to remotely compromise your Windows-based system and gain control over it.

13 posted on 01/05/2006 4:49:10 PM PST by RedBloodedAmerican
[ Post Reply | Private Reply | To 1 | View Replies]

To: TommyDale

I'll keep the unofficial patch since there is no problem with it, I don't need MS's patch fot this.


14 posted on 01/05/2006 4:59:45 PM PST by SwordofTruth (God is good all the time.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: TommyDale

Yes, the badguys want another shot at your system....


15 posted on 01/05/2006 5:12:33 PM PST by Ernest_at_the_Beach (History is soon Forgotten,)
[ Post Reply | Private Reply | To 12 | View Replies]

To: SwordofTruth

but won't the MS patch get installed automatically, if one has Windows configured that way?

How does one uninstall the Ilfak patch?


16 posted on 01/05/2006 5:17:05 PM PST by rudy45
[ Post Reply | Private Reply | To 14 | View Replies]

To: rudy45
How does one uninstall the Ilfak patch?

Info I have seen says it should be listed in add/remove

17 posted on 01/05/2006 5:42:51 PM PST by Company Man
[ Post Reply | Private Reply | To 16 | View Replies]

To: rudy45

It's listed as Windows Hot Fix 1.4 or something like that.


18 posted on 01/05/2006 6:08:47 PM PST by TommyDale
[ Post Reply | Private Reply | To 16 | View Replies]

To: rudy45

It's listed as Windows Hot Fix 1.4 or something like that.


19 posted on 01/05/2006 6:08:47 PM PST by TommyDale
[ Post Reply | Private Reply | To 16 | View Replies]

To: TommyDale

Thanks for the reply, but I'm still unclear.

I have my computer set to download and install Windows updates automatically. A few days ago, I installed the Ilfak patch.

Is it possible that the Microsoft patch is downloaded and installed automatically, even without my doing anything? If so, will that cause a problem for me in that I have the Ilfak patch?

Thanks.


20 posted on 01/05/2006 8:22:49 PM PST by rudy45
[ Post Reply | Private Reply | To 18 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-22 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson