January 4th, 2006
Wait for Microsoft WMF patch, no thanks!
By now, you’ve probably heard of the unofficial WMF Vulnerability patch by programming genius Ilfak Guilfanov. Some experts say install it now! Others say you better wait till next week for the official patch from Microsoft. Since I’ve spent a good part of New Years day weekend researching and testing this bug, I would tell you that this vulnerability is so dangerous that you better install the unofficial patch now and then uninstall it when the official Microsoft patch is hopefully released next week.
The highly respected SANS.org has fully vetted the patch and they’re so impressed that they’ve even started hosting copies of the patch on their own website. For your convenience, Guilfanov created an EXE version of the patch which you can find here. For the corporate types that want to install this across the enterprise through Active Directory, they can push out the MSI version repackaged by Evan Anderson of Wellbury Information Services, L.L.C.
If you’re wondering why this is such a high priority patch, it’s because existing workarounds are weak at best and the exploit is extremely dangerous. There are those who say this isn’t anymore dangerous than an Internet worm but worms can’t infect you through firewall perimeters. Even Antivirus and Intrusion Detection Systems are having a hard time with the WMF exploits since a group released proof-of-concept code that automatically generates randomized headers and fragmented packets to defeat nearly every AV and IDS signature. With the WMF exploit, you just need to look at an infected image file while surfing the web or checking your email and you’re instantly infected with nasty spyware or rootkit. Since there are no official patches available, there was little you could do to protect yourself until now.
Hardware-enforced DEP seems to work pretty well only if you have a more recent CPU that supports AMD NX or Intel XD technology. NX and XD technology enforces Windows DEP (Data Execution Prevention) in hardware but you most likely have to change the default DEP settings and apply DEP to "all programs and services on your computer". Microsoft’s official workaround of un-registering a specific DLL file not only breaks a ton of useful functionality like the ability to view image thumbnails, but it doesn’t even protect you from MS Paint or Lotus Notes. Guilfanov’s patch doesn’t seem to break anything and it protects you much better than Microsoft’s official workaround.
Microsoft’s official negative stance on the unofficial patch is understandable since Microsoft can’t take responsibility for a 3rd party patch which they haven’t tested and they’re busy cranking out the official patch. But this vulnerability is so serious that I personally just can’t wait till next week for the official patch. For now, Guilfanov is a big life saver and I’ll keep his patch installed until the official Microsoft patch hopefully comes out next week.
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
