Posted at 06:36 PM ET, 01/ 1/2006 Unofficial Patch for Windows Flaw Security experts are urging Windows users to apply a non-Microsoft-issued software patch to fix an extremely dangerous bug that has exposed hundreds of millions of the operating system's users to spyware and viruses. The patch was developed by computer programmer Ilfak Guilfanov, perhaps best known in security circles at the creator of IDA Pro, a tool used to design and deconstruct software and even malware. Tom Liston, an Internet security consultant with Washington-based Intelguardians and an incident handler with the SANS Internet Storm Center, pleaded with Microsoft users to feel at ease installing the patch, which he said SANS had reverse-engineered, reviewed and vetted to ensure it fixes the problem and does nothing else. "To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it," Liston wrote. "Now we're going to expend some of that hard-earned trust. This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice -- unregister shimgvw.dll and use the unofficial patch. You need to trust us. http://blogs.washingtonpost.com/securityfix/ http://www.grc.com/sn/notes-020.htm
First of all, this really is not new to the developer and information systems management people - or at least it should not be. Variations of these issues were known quite a while ago and most people already had implemented their own organization wide fix. Morover accepting patches from anyone other than $soft - or your own developer team - is not a wise idea. So, although I am sure that these people are very good, I personally would be very wary about applying patches not sanctioned by $soft ....
Note that this is not the same vulnerability as the earlier GRE issues - it's a whole new thing. ISC/SANS and Tom Liston are well-respected is the security community. Unfortunately, you have to rely on third parties for this stuff because Microsoft is simply too slow - it's now been 7 days since the issue was made public, and no useful response from them. There are known websites out there that are hosting this exploit and just waiting to whack you. All you have to do is be persuaded to go to them. Possibly by something as normally (though incorrectly) trusted as a link from a Google search. This is a serious issue. Here's a link to the SANS articles on the subject, including the latest patch from Tom Liston's site: http://isc.sans.org/diary.php?storyid=993
Thank you NK. Coming from you adds a lot of credibility also. DrudgeReport is running it up near the top as I write this. Gonna be a lot of employers tomorrow screaming to "just fken fix it NOW!" I will be one of them unless MSFT has something by morning. Makes me wonder why MSFT doesn't give these guys with the fix a hefty donation, check it out, and get it out to us asap. Geo.
Hmmm ... We fixed this issue a long time ago - its a non issue and not new to us and I suspect the same for a lot of IT organizations. There is an extremely simple fix that does not require the free publicity, free marketing that the publicity hound security firm desires.....
It seems to me that if one desires a high level of protection against security exploits triggered via browser access then the only real protection is to run your browser in a 'sand box'. These types of vulnerabilities will continue to pop up in the future and PCs running browsers will continue to be compromised. No matter how timely vendor response is (or in this case isn't) , there will always be cases where patches are too issued too late. A sand box is an environment the code runs in that inhibits it's ability to do any real damage to that which it shouldn't have access to. The sand box can be 1. A separate machine. Very secure and quite inconvenient. 2. Run the browser under a separate user id with limited privileges. Not bad, but if the exploit referred to here is the one that exploits a bug in the image rendering code in the Windows KERNEL, then it wouldn't do you much good. Rendering graphics in the kernel was always a terrible idea. 3. Run the browser in a separate virtual machine such as provided by VmWare. This affords a high level of protection as each virtual machine is running its own copy of Windows. It is a good solution that is currently available and one that should be seriously considered where security is important. I think that in the future we may see much more extensive use of virtualization for security purposes especially as forthcoming Intel and AMD cpus will have better virtualization support.
Now on Linux, does this mean something like operating with a "secondary" kernel in the box? Or secluding a partition on the file system? Or... Thanks
Some options for true virtualization under Linux - 1. vmware 2. Xen Probably running a browser under a separate user id is pretty safe. Maybe in a chroot(2) jail - not sure I haven't tried it. When the new CPUs come out Xen will probably support Windows and other OS as well as Linux. Free.