Private Patch for .WMF Bug Raises More Concerns

Download our in-depth report: The Ultimate Guide to IT Security Vendors

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Email  
Right at the end of 2005 and beginning of 2006 an interesting thinghappened. A zero-day exploit to a Microsoft vulnerability was posted tothe net, followed by at least one non-Microsoft patch to fix the problem.

What's the big deal, you ask? Plenty.

As I write this, the private patch is available and being downloaded (nodoubt) by thousands of people. I've even seen discussions by companiesconsidering deploying this private patch across their enterprises.Microsoft's patch to the same problem isn't scheduled to be released forabout a week.

There are a myriad of problems with this scenario. Let's consider them abit...

Readers of my columns know I'm no fan of software patching, but we'repretty much stuck with it until, and unless, the software productdevelopers of the world can find a better solution. And, with all duefairness to the software folks, a zero-day exploit is pretty much theirworst security nightmare. In a zero-day scenario, a software defect isexploited and a corresponding attack is publicly distributed before thevendor even knows the defect exists. Talk about having the proverbial gunto your head while trying to develop a solution!

The potential for releasing a flawed 'solution' is vast. But that's stillnot all of what made this particular vulnerability such a big deal.

Add to the difficulties of merely having to produce a suitable solutionto the problem the fact that someone else beat them to the punch. Aprivate, no doubt well-intended person wrote and distributed his ownversion of a patch to this Microsoft defect more than a week before theMicrosoft patch is due to arrive. Now consider the complexities of thesituation.

Will the Microsoft patch work with the private one? Will it replace it?If the private patch causes application software to fail, willMicrosoft's customer support lines start ringing? (You betcha!) Will theprivate patch cause unforeseen compatibility issues six months or a yearfrom now? Who knows? Even if that private patch is perfect in every way,how will it impact Windows Update and other configuration managementconcerns? Who knows.

On the other hand, what if there's something nasty in the private patch-- a bug, spyware, or a rootkit of some sort, perhaps? How do we know itis trustworthy? Because the author says it is? Because a well-knownsecurity expert said on his podcast that he personally verified thesource code and can vouch for it? How do we know that even the vettedsource code corresponds to the binary patch on the download site? Whoknows?

Don't get me wrong. I'm really not trying to say that this kind soul whoproduced the private patch did something terrible. Everything that I haveheard points to the author being respectable, trustworthy, and trying toperform a meaningful public good. Kudos!

The real failure here is the system, not the particular individualsinvolved. For starters, publishing a zero-day exploit is unconscionable.Those responsible should be punished to the fullest extent of the law.Our patch-and-chase cycle is broken. We've got to do much better. Thevulnerability that I'm talking about was caused by a buffer overrun inthe way that Microsoft Windows handles media files. Buffer overruns (oroverflows, if you prefer) are preventable implementation defects insoftware that should have been caught by the vendor before the product'srelease. We've got to get more serious about how we do software security-- and how we consumers accept product releases for that matter.

And when product defects do make it through the Quality Assurance process, we've got to find betterways to engineer solutions. In the unfortunate case of similar zero-dayissues, we need to find some stop-the-bleeding countermeasures, followedby properly engineered and tested solutions that fully fix the underlyingdefect. (In this case, a stop-the-bleeding workaround was presented, butit fell far too short of being useful.)

I don't mean to trivialize these issues. They're major and they're notgoing to be solved over night -- or in this column, for that matter. I dohope, though, that this particular case has opened up enough eyes that wecan bring the right consumer and product vendor resources to bear on theproblem and really come up with a solution that will work.

Submit a Comment

Loading Comments...