Webtrends Tracking Code
 
UK Home >  OUT-LAW News >  News Archive >  2006 >  January 2006 >  Confusion over whose patch to use for Windows flaw

Confusion over whose patch to use for Windows flaw

OUT-LAW News, 04/01/2006

Conflicting advice is being offered to Windows users over the latest software vulnerability to be revealed. Microsoft is urging users to wait for an approved patch to be released, but some security experts say that a third-party patch should be used right away.

They believe that the vulnerability – relating to the Windows Metafiles (WMF), code that allows users to view image files – is so serious that it outweighs the risk of using an unauthorised patch.

The vulnerability came to light in late December, when it was revealed that computers using almost all versions of the Windows operating system could be infected simply by visiting web pages containing exploits designed to take advantage of the flaw.

Examples of such exploits have already been found, leading to an alert from the US Computer Emergency Readiness Team (US-CERT) on 28th December. But the flaw is as yet unpatched.

Microsoft confirmed yesterday that it had completed the development of a security update to fix the vulnerability but that this was now in the testing process. Microsoft expects to release the update on 10th January.

“Although the issue is serious and the attacks are being attempted, Microsoft’s intelligence sources indicate that the scope of the attacks is limited. In addition, attacks exploiting the WMF vulnerability are being effectively mitigated by anti-virus companies with up-to-date signatures,” said Microsoft.

The company urged users to take care not to visit unfamiliar or untrusted websites that could potentially host the malicious code, and to keep their anti-virus protections up to date.

But in the eyes of some in the online security field, action needs to be taken now.

Researchers at the SANS Institute – a leading source for information security training and certification – have called for users to make use of an unofficial patch developed by Ilfak Guilfanov, an expert in reverse engineering. Their call has been echoed by security firm F-Secure.

"This is a very unusual situation – we've never done this before,” Mikko Hypponen, F-Secure’s antivirus research director told ZDNet UK. “We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same.”

In response, Microsoft warned that “As a general rule, it is a best practice to utilise security updates for software vulnerabilities from the original vendor of the software.”

This takes advantage of the review and testing process carried out to ensure that updates are of high quality and have application compatibility.

“Microsoft cannot provide similar assurance for independent third party security updates,” said Microsoft.

 

OUT-LAW Recommends

Free OUT-LAW seminars
- Making your contract work
- Information security
Six cities, October & November

This week's podcast
Are ISPs about to betray our trust?

Winner at 2008 Webby Awards

OUT-LAW star: link to the home page
Disclaimer | Privacy | Site Map | Accessibility
Disclaimer: This was printed from OUT-LAW.COM, a service of international law firm Pinsent Masons. We hope you find this content useful. However, please note that nothing in this document constitutes specific legal advice. You should consult a suitably qualified lawyer on any specific legal problem or matter. Any questions, please email info@out-law.com.