Posted on 01/05/2006 3:10:21 PM PST by Ernest_at_the_Beach
Ilfak Guilfanov is far from a household name.
But that may soon change as the Russian software developer's unauthorized Microsoft security patch is increasingly installed onto computers worldwide.
In a rare move, security experts at the SANS Institute's Internet Storm Center and at F-Secure are advising people to download Guilfanov's patch, which aims to fix a flaw in the Windows Meta File.
This vulnerability has spawned a torrent of exploits that seek to take advantage of the wait while Microsoft works on its own patch. The software company has said it will release a WMF patch on Jan. 10, as part of its monthly security update cycle. That would come 14 days after the flaw was first publicly disclosed.
People eager to download the unofficial patch inundated Guilfanov's personal Web site, which had to be temporarily shut down as a result. He has since reduced his home page to its bare minimum.
In this case, Guilfanov, a senior developer at DataRescue in Liege, Belgium, has gained the trust of security companies, which usually are reluctant to suggest that customers use a patch from someone other than the original maker of the software.
On Tuesday, Guilfanov, who lives in Belgium, explained to CNET News.com in an e-mail interview why he came up with his own answer to the Windows problem.
Q: Not many people may be familiar with Ilfak Guilfanov. Why should millions of people who are affected by the Windows Meta File flaw trust your unofficial patch?
Guilfanov: It is quite a difficult question to answer.
Maybe because security professionals and three-letter agencies are already using my (IDA Pro) program? IDA Pro is used to analyze all malware (malicious software) and viruses today. People are free not to trust my fix, but they are already depending on IDA Pro to get precise analysis of binary programs today.
Maybe because I do not hide anything and put the source code in front of everyone's eyes? The fix comes with full source code--everyone can check how it works and make their own decision. Knowledgeable people, like guys from SANS, have checked and approved it.
Maybe because of the reputation of the company where I work, DataRescue? Most security companies use our product, (and) are familiar with us and our practices. I'm not surprised that most of them trust me. I cannot speak for DataRescue, of course, but this is my feeling.
In short, I do not have a simple answer to your question.
Have you developed other unofficial patches in the past that were recommended by security vendors?
Guilfanov: It is the first time I have created such a patch. It is the first time the vulnerability has been really bad and dangerous. It scared me.
I created the fix for me and my friends. But when I put it online, I realized that it is going to be a big thing.
Did you have contact with Microsoft prior to publishing the unofficial patch?
Guilfanov: No.
Why did you decide not to do that? Did you determine there would be nothing to gain from such a move?
Guilfanov: Well, I posted it to my blog to display one possible solution to the problem. I published the source code of the fix so that everyone could verify how it works. I saw this as a technical issue and did not think that Microsoft would need my advice.
While SANS Internet Storm Center and F-Secure are recommending your patch, it has spawned some debate on security mailing list Full-Disclosure. What do you say to the skeptics who say your patch can affect certain functionality in Windows?
Guilfanov: As far as I know, the fix does not break any practically used functionality in Windows. The problem with the vulnerability is that the very functionality my fix revokes is the culprit.
Fixing the vulnerability without revoking it is really difficult, if not impossible.
There is also a sense of division among those who want Microsoft to deliver the update now, as opposed to waiting until its monthly patch release on Jan. 10. What do you think Microsoft should do?
Guilfanov: I think Microsoft should develop a patch, (and) test and release it. And I believe that this is exactly what they are doing.
Why do you think your unofficial patch has been so popular with users?
I cannot tell for sure, but most likely because of my reputation as the author of IDA Pro disassembler...Second, the fix comes with the source code. This makes much easier to verify it--this is what exactly happened at the SANS Institute. The experts confirmed that the fix does exactly what it is supposed to do and approved it.
Finally, what are your personal views on recommending unofficial patches? When are these appropriate to use, and under what circumstances?
Guilfanov: They should be taken with caution. I personally would not trust a closed-source fix coming from a third party. That's why I published the source code from the start.
I would recommend users to install the fix, but please test it before deploying it in large corporate networks and take a responsible approach. I believe all patches, official or not, should be tested on a small scale before deployment in large corporate networks.
I just wonder if Microsoft engineers decompiled his solution, checked it (to the best of their ability), and started from there to build their own fix.
It's real easy to make a patch when you don't have to test it against 100,000 different configurations, languages, and other applications for compatibility.
Don't know but it would have been smart....
So what is your point?
| Windows Security Fix released for graphics rendering bug |
||
| Posted by Cicero On 01/05/2006 4:43:56 PM CST · 11 replies · 341+ views Microsoft Update | 12/5/06 | Self Microsoft has posted a security fix for the windows metafile bug, and it is available at the Windows Update site. I can't speak for earlier operating systems, but I have downloaded and installed it for Windows XP and Windows 2000. Because of the urgency, Microsoft released the fix early. Other updates will be available as usual next Tuesday at the Update site. |
||
Guilfanov's website got pounded. It still is being pounded.
***************************************
Guilfanov: It is the first time I have created such a patch. It is the first time the vulnerability has been really bad and dangerous. It scared me.
I created the fix for me and my friends.
The headline writer of course wants to hype his article to attract eyeballs....
Here let me save the Mac/Linux crowd the time...
Aww just get a Mac or Linux and you will never get another virus, you will live forever, you will look great, birds will follow you chirping everyday etc
:) Just having some fun ;-)
Security Update for Windows XP (KB912919) was released today, but those who installed the Russian's patch should remove it and reboot before applying the Microsoft patch.
A remote code execution security issue has been identified in the Graphics Rendering Engine that could allow an attacker to remotely compromise your Windows-based system and gain control over it.
I'll keep the unofficial patch since there is no problem with it, I don't need MS's patch fot this.
Yes, the badguys want another shot at your system....
but won't the MS patch get installed automatically, if one has Windows configured that way?
How does one uninstall the Ilfak patch?
Info I have seen says it should be listed in add/remove
It's listed as Windows Hot Fix 1.4 or something like that.
It's listed as Windows Hot Fix 1.4 or something like that.
Thanks for the reply, but I'm still unclear.
I have my computer set to download and install Windows updates automatically. A few days ago, I installed the Ilfak patch.
Is it possible that the Microsoft patch is downloaded and installed automatically, even without my doing anything? If so, will that cause a problem for me in that I have the Ilfak patch?
Thanks.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.