washingtonpost.com
Experts Advocate Non-Microsoft Windows Patch

By Brian Krebs
Special to the Washington Post
Wednesday, January 4, 2006

Security experts yesterday criticized Microsoft Corp. for waiting until next week to address a recently revealed flaw in the Windows operating system that they say is unusually dangerous.

The experts took the unusual step of urging users to install a patch created by a private developer, saying Microsoft is downplaying the severity of the security hole.

The flaw, revealed last week, allows hackers to break into computers running versions of Windows software -- from Windows 98 through the most recent Windows XP. The flaw allows computers to be infected with spyware or viruses by visiting a Web site or opening on an image or link in an e-mail or instant message.

Debby Fry Wilson, a director in Microsoft's security response unit, said the company began working on a fix as soon as it confirmed the technical details of the ongoing attacks, which so far have affected computers running Windows 2000, Windows XP and Windows Server 2003. Its patch, which is being tested to ensure that there are no conflicts with other software, is to be issued next Tuesday.

While the threat "is serious and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks are not widespread," she said.

Thomas F. Liston, an incident handler with the SANS Internet Storm Center in Bethesda, said Microsoft was downplaying the threat from the flaw.

"They're just keeping their fingers crossed that this doesn't blow up in a big way until the 10th," Liston said.

Another computer-security firm, Symantec Corp., said Microsoft's decision to delay the patch for another week presents attackers with a "seven-day window that attackers could exploit this issue in a potentially widespread and serious fashion." The Cupertino, Calif., company raised its threat alert to the highest level in 16 months.

Liston said hundreds of Web sites are exploiting the flaw. Malicious hackers expanded into instant messages on New Year's Eve to take advantage of the vulnerability, he said.

In an advisory posted on its Web site earlier this week, SANS urged Windows users to download and install the unofficial patch. SANS and other security experts checked the patch to ensure that it fixes the security flaw without compromising other programs or creating other problems for the users, Liston said.

"I was kind of afraid for my own computer because you can get infected just by visiting a site with your Web browser," said Ilfak Guilfanov, the programmer who developed the unofficial patch and is author of IDA Pro, a debugging tool. "I decided if it works for me, then maybe it will help others, too."

It is rare for established computer security experts to urge Windows users to install a third-party software patch for a Windows problem. They tend to advise users to ignore patches for Windows security flaws not issued by Microsoft because criminals frequently disguise their malware as Windows patches to trick users into installing them.

Wilson declined to comment on the quality and security of Guilfanov's patch.

Until Microsoft releases its patch, customers should practice "safe computing habits," such as updating anti-virus software and avoiding unfamiliar Web sites, she said. However, it's unclear whether safe computing is enough because the exploit it altered every time it infects a new machine, making it tougher for anti-virus software to detect it.

F-Secure Corp., the Finnish anti-virus company that first spotted the exploit on the Internet on Dec. 27, also vouched for the safety of the unofficial patch and advised customers to use it.

"We will see this vulnerability being used for various different purposes for months to come, and I wouldn't be surprised to see a massive worm outbreak before Microsoft releases this patch," said Mikko H. Hypponen, chief research officer at F-Secure.

Brian Krebs is ahttp://washingtonpost.comreporter. Updates on the security flaw and instructions on how to deal with it can be found athttp://washingtonpost.com/securityfix.

View all comments that have been posted about this article.

© 2006 The Washington Post Company