Want CNET to notify you of price drops and the latest stories?

Firms urged to use unofficial Windows patch

In absence of a fix from Microsoft, security experts advise companies to use unauthorized patch for latest WMF flaw.

2 min read
Experts are advising corporations to use an unofficial patch to combat the latest Microsoft Windows Meta File exploit.

Antivirus vendor F-Secure and the Internet Storm Center, a volunteer security group, separately urged businesses on Tuesday to use the unofficial patch, as Microsoft has not yet offered an authorized fix for the problem.

Click for photos

Microsoft, though, has advised businesses not to use third-party updates, even though its own patch won't be available until next Tuesday.

The WMF vulnerability can be exploited in Windows XP with Service Pack 1 and 2, as well as Windows Server 2003, security experts said.

Mikko Hypponen, director of antivirus research at F-Secure, said he believes corporations can trust the unofficial patch, which was created by security software developer Ilfak Guilfanov.

"This is a very unusual situation--we've never done this before. We trust Ilfak, and we know his patch works," Hypponen said. "We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful."

The Internet Storm Center admitted that many businesses would be very reluctant to deploy an unofficial patch on their systems, but insisted that such action is needed.

"We've received many e-mails from people saying that no one in a corporate environment will find using an unofficial patch acceptable," Tom Liston of the Internet Storm Center said in his blog. "Acceptable or not, folks, you have to trust someone in this situation."

Systems administrators can also work around the problem by unregistering a file called "shimgvw.dll".

"The very best response that our collective wisdom can create is contained in this advice--unregister shimgvw.dll and use the unofficial patch," Liston said.

A Microsoft representative advised businesses to wait for a week, as the software giant can't guarantee third-party updates will be effective.

"Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on Jan. 10, 2006. Microsoft cannot provide assurance for independent third-party security updates," the representative said.

Security experts say the WMF exploit is potentially dangerous because conventional antivirus software and IDS (Intrusion Detection System) signatures do not recognize the malicious code in spam, as the exploit is sent in seemingly normal JPEG, GIF or bitmap files.

Hackers are increasingly using a wider variety of techniques to penetrate corporate defenses with attacks launched through different methods including spam, IM worms, and defaced and fake Web sites. Computer users need only visit a compromised or fake Web site to be attacked.

Click here to see Microsoft's security advisory about the WMF flaw.

Tom Espiner of ZDNet UK reported from London.