Whitepaper: Oracle Application Express Overview 3.0. Consolidate the management and security of data currently scattered throughout the organization in spreadsheets and personal databases.

Storage Networking , Part 1 eBook: A storage network is any network that's designed to transport block-level storage protocols. But understanding the ins and outs of networked storage takes you deep into several of protocols. This guide covers SANs, Fibre Channels, Disk Arrays, Fabric, and IP Storage. » Storage Networking 2, Configuration and Planning eBook: Picking up where Part 1 left off, Part 2 of our look at storage networking examines configurations for SAN-attached servers and disk arrays, and also includes a look at the future of IP storage. » Storage Management Costs in the Enterprise: A Comparison of Mid-Range Array Solutions Whitepaper: Many factors contribute to the ownership cost for enterprise storage. These include (but are not limited to): physical capacity relative to physical space requirements, performance capacity for data transfer and system reaction time, software maintenance and updates, expandability and flexibility, and much more. » Storage Is Changing Fast  Be Ready or Be Left Behind PDF: The storage landscape is headed for dramatic change, thanks to new technologies like Fibre Channel over Ethernet (FCoE), pNFS, object-based storage and SAS that will affect everything from NAS and SANs to disk drives. Get the knowledge you need to make the most of your storage environment, now and in the future. » HP StorageWorks EVA4400 Demo: Dont settle for an expensive and complex array that lacks functionality. The HP StorageWorks EVA4400 delivers virtual storage with enterprise class functionality at an affordable price. »

eSecurity Glossary biometrics encryption keylogger malware phishing RFID security spyware virus worm Search for more eSecurity terms ...

FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Enterprise Networking Planet Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Private Patch for .WMF Bug Raises More Concerns
January 5, 2006
By Kenneth van Wyk

Right at the end of 2005 and beginning of 2006 an interesting thing happened. A zero-day exploit to a Microsoft vulnerability was posted to the net, followed by at least one non-Microsoft patch to fix the problem.

What's the big deal, you ask? Plenty.

As I write this, the private patch is available and being downloaded (no doubt) by thousands of people. I've even seen discussions by companies considering deploying this private patch across their enterprises. Microsoft's patch to the same problem isn't scheduled to be released for about a week.

There are a myriad of problems with this scenario. Let's consider them a bit...

Readers of my columns know I'm no fan of software patching, but we're pretty much stuck with it until, and unless, the software product developers of the world can find a better solution. And, with all due fairness to the software folks, a zero-day exploit is pretty much their worst security nightmare. In a zero-day scenario, a software defect is exploited and a corresponding attack is publicly distributed before the vendor even knows the defect exists. Talk about having the proverbial gun to your head while trying to develop a solution!

The potential for releasing a flawed 'solution' is vast. But that's still not all of what made this particular vulnerability such a big deal.

Add to the difficulties of merely having to produce a suitable solution to the problem the fact that someone else beat them to the punch. A private, no doubt well-intended person wrote and distributed his own version of a patch to this Microsoft defect more than a week before the Microsoft patch is due to arrive. Now consider the complexities of the situation.

Will the Microsoft patch work with the private one? Will it replace it? If the private patch causes application software to fail, will Microsoft's customer support lines start ringing? (You betcha!) Will the private patch cause unforeseen compatibility issues six months or a year from now? Who knows? Even if that private patch is perfect in every way, how will it impact Windows Update and other configuration management concerns? Who knows.

On the other hand, what if there's something nasty in the private patch -- a bug, spyware, or a rootkit of some sort, perhaps? How do we know it is trustworthy? Because the author says it is? Because a well-known security expert said on his podcast that he personally verified the source code and can vouch for it? How do we know that even the vetted source code corresponds to the binary patch on the download site? Who knows?

Don't get me wrong. I'm really not trying to say that this kind soul who produced the private patch did something terrible. Everything that I have heard points to the author being respectable, trustworthy, and trying to perform a meaningful public good. Kudos!

The real failure here is the system, not the particular individuals involved. For starters, publishing a zero-day exploit is unconscionable. Those responsible should be punished to the fullest extent of the law. Our patch-and-chase cycle is broken. We've got to do much better. The vulnerability that I'm talking about was caused by a buffer overrun in the way that Microsoft Windows handles media files. Buffer overruns (or overflows, if you prefer) are preventable implementation defects in software that should have been caught by the vendor before the product's release. We've got to get more serious about how we do software security -- and how we consumers accept product releases for that matter.

And when product defects do make it through the Quality Assurance process, we've got to find better ways to engineer solutions. In the unfortunate case of similar zero-day issues, we need to find some stop-the-bleeding countermeasures, followed by properly engineered and tested solutions that fully fix the underlying defect. (In this case, a stop-the-bleeding workaround was presented, but it fell far too short of being useful.)

I don't mean to trivialize these issues. They're major and they're not going to be solved over night -- or in this column, for that matter. I do hope, though, that this particular case has opened up enough eyes that we can bring the right consumer and product vendor resources to bear on the problem and really come up with a solution that will work.

Kenneth van Wyk, a 20-year veteran of IT security, is the prinicpal consultant for KRvW Associates, LLC. The co-author of two security-related books, he has worked at CERT, as well as at the U.S. Department of Defense.

Tools:

Add www.esecurityplanet.com to your favorites Add www.esecurityplanet.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed

eBook: Evaluating Software as a Service for Your Business. Sponsored by Webroot
Stay up to date! Get real-time news and reviews about the latest innovations in internet technology.
Flash Demo: Learn how IBM Information Server Blade is easy to manage, highly scalable and efficient.
Learn about expanding business opportunities for the reseller channel. Visit IT Channel Planet.
Keep up with the latest business and technology news and information! Visit Internet.com.