Beating Microsoft to the punch

newsmaker Ilfak Guilanov explains why he created an unofficial Windows patch that is drawing rare backing from antivirus firms.

Dawn Kawamoto Former Staff writer, CNET News
Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.
Dawn Kawamoto
4 min read
Ilfak Guilfanov is far from a household name.

But that may soon change as the Russian software developer's unauthorized Microsoft security patch is increasingly installed onto computers worldwide.

In a rare move, security experts at the SANS Institute's Internet Storm Center and at F-Secure are advising people to download Guilfanov's patch, which aims to fix a flaw in the Windows Meta File.

This vulnerability has spawned a torrent of exploits that seek to take advantage of the wait while Microsoft works on its own patch. The software company has said it will release a WMF patch on Jan. 10, as part of its monthly security update cycle. That would come 14 days after the flaw was first publicly disclosed.

People eager to download the unofficial patch inundated Guilfanov's personal Web site, which had to be temporarily shut down as a result. He has since reduced his home page to its bare minimum.

In this case, Guilfanov, a senior developer at DataRescue in Liege, Belgium, has gained the trust of security companies, which usually are reluctant to suggest that customers use a patch from someone other than the original maker of the software.

On Tuesday, Guilfanov, who lives in Belgium, explained to CNET News.com in an e-mail interview why he came up with his own answer to the Windows problem.

Q: Not many people may be familiar with Ilfak Guilfanov. Why should millions of people who are affected by the Windows Meta File flaw trust your unofficial patch?

Guilfanov: It is quite a difficult question to answer.

Maybe because security professionals and three-letter agencies are already using my (IDA Pro) program? IDA Pro is used to analyze all malware (malicious software) and viruses today. People are free not to trust my fix, but they are already depending on IDA Pro to get precise analysis of binary programs today.

Maybe because I do not hide anything and put the source code in front of everyone's eyes? The fix comes with full source code--everyone can check how it works and make their own decision. Knowledgeable people, like guys from SANS, have checked and approved it.

Maybe because of the reputation of the company where I work, DataRescue? Most security companies use our product, (and) are familiar with us and our practices. I'm not surprised that most of them trust me. I cannot speak for DataRescue, of course, but this is my feeling.

In short, I do not have a simple answer to your question.

Have you developed other unofficial patches in the past that were recommended by security vendors?

Guilfanov: It is the first time I have created such a patch. It is the first time the vulnerability has been really bad and dangerous. It scared me.

I created the fix for me and my friends. But when I put it online, I realized that it is going to be a big thing.

Did you have contact with Microsoft prior to publishing the unofficial patch?

Guilfanov: No.

Why did you decide not to do that? Did you determine there would be nothing to gain from such a move?

Guilfanov: Well, I posted it to my blog to display one possible solution to the problem. I published the source code of the fix so that everyone could verify how it works. I saw this as a technical issue and did not think that Microsoft would need my advice.

While SANS Internet Storm Center and F-Secure are recommending your patch, it has spawned some debate on security mailing list Full-Disclosure. What do you say to the skeptics who say your patch can affect certain functionality in Windows?

Guilfanov: As far as I know, the fix does not break any practically used functionality in Windows. The problem with the vulnerability is that the very functionality my fix revokes is the culprit.

Fixing the vulnerability without revoking it is really difficult, if not impossible.

There is also a sense of division among those who want Microsoft to deliver the update now, as opposed to waiting until its monthly patch release on Jan. 10. What do you think Microsoft should do?

Guilfanov: I think Microsoft should develop a patch, (and) test and release it. And I believe that this is exactly what they are doing.

Why do you think your unofficial patch has been so popular with users?
I cannot tell for sure, but most likely because of my reputation as the author of IDA Pro disassembler...Second, the fix comes with the source code. This makes much easier to verify it--this is what exactly happened at the SANS Institute. The experts confirmed that the fix does exactly what it is supposed to do and approved it.

Finally, what are your personal views on recommending unofficial patches? When are these appropriate to use, and under what circumstances?

Guilfanov: They should be taken with caution. I personally would not trust a closed-source fix coming from a third party. That's why I published the source code from the start.

I would recommend users to install the fix, but please test it before deploying it in large corporate networks and take a responsible approach. I believe all patches, official or not, should be tested on a small scale before deployment in large corporate networks.