Unauthorized Patch For Microsoft WMF Bug Sparks Controversy
Sober worm may hit tomorrow, but businesses are more concerned about the WFM vulnerability and Microsoft's inability to produce a patch this week. Some are choosing an alternative that could lead to other problems.
By Larry Greenemeier
InformationWeek
Jan 4, 2006 01:00 PM
Concerns over the lack of a Microsoft-issued patch have pushed the Windows Metafile/Zero-Day bug to top of mind, surpassing even tomorrow's much-anticipated Sober worm attack.
The lag time between the Dec. 27 discovery of the WMF vulnerability and Microsoft's planned Jan. 10 patch availability has forced IT security departments to find alternative means for protecting their systems and prompted a non-Microsoft developer to create a patch that others could use.
All of this serves to damage Microsoft's reputation as a company that can secure its own products—a reputation that only recently was beginning to improve after years of being dragged through the mud. Experts are divided over whether it's wise to use Ilfak Guilfanov's Hexblog patch to fix the WMF vulnerability, which could allow attackers to use WMF images to execute malicious code on their victims' computers. Some say it's a necessary measure to protect systems until the official Microsoft patch arrives; others say it's not worth the extra work to patch twice or to take the risk of using a third-party fix.
http://www.informationweek.com/software/showArticle.jhtml?articleID=175801150
+ Reply to Thread
Results 1 to 6 of 6
-
-
This is rediculous really. Why does Microsoft feel it's necessary to wait until regular update day to patch this problem? The patch is ready. Release it and be done with it. If you have the ability to fix a security flaw of this level immediately, then do so. There is no excuse for leaving the consumer unprotected for another week just so you can release the patch with regular updates instead of on it's own.
And from what I've heard the official patch has already been leaked onto the net. After extensive testing by a few knowledgable individuals it's concluded that it does indeed work just fine and furthermore Ilfak's patch doesn't interfere with it in any way. You can leave his patch installed and remove it after updating and rebooting with the MS patch. There is nothing so far to suggest there is anything at all wrong with Ilfak's patch. Even SANS has given it a green light after extensive testing. -
Originally Posted by Poppa_Meth
BTW, Leo Laporte and Steve Gibson will be talking with Ilfak Guilfanov, the patch's creator on their next Security Now! podcast. -
I've been hearing a few reports now that the leaked MS patch is buggy. Well that's to be expected I guess if it's leaked. I don't get how they can have so much trouble getting a working patch out with a whole team on the job, when one man can do it in virtually no time on his own.
-
Official patch now available on Windows Update.
Edit:
Apparently this patch permanently does the exact same thing the unofficial patch did. Also it appears MS has no intention of patching Win 98/ME and instead will reclassify the threat for these OSes as non-critical. GRC promises that if MS will not make a patch for it then they will make one available. -
Originally Posted by Poppa_Meth
Similar Threads
-
Episode 6 Bug? Or Quicktime Player 7 bug?
By NY2LA in forum Video ConversionReplies: 3Last Post: 25th Jun 2012, 16:59 -
VHS to pc patch cable
By Dr.Gee in forum Newbie / General discussionsReplies: 11Last Post: 7th Apr 2011, 07:43 -
Ellen & Dog Controversy
By pantsonfire in forum Off topicReplies: 7Last Post: 28th Oct 2007, 00:43 -
Microsoft: Free and open source software violates 235 Microsoft patents
By rkr1958 in forum ComputerReplies: 32Last Post: 11th Jun 2007, 23:36 -
ProjectX - possible to patch?
By netmask56 in forum DVB / IPTVReplies: 1Last Post: 21st May 2007, 00:18