Security Curve Weblog

Panic like it's 1938

Back in the day, we all got whipped into a frenzy when Orson Welles read the novel "The War of the Worlds" from the CBS 20th floor studios on Madison Avenue. People were so frightened - they were so convinced that aliens were really on the march - that they took extreme actions to keep themselves from being victims of the upcoming martian attack: people left their homes, hallucinated poison gas or lights from death rays, broke out the ordinance, etc. In short, people took measures way out of proportion to what was really going on - had they but relaxed and waited for the real threat to materialize, they would have saved themselves a lot of heartache.

This situation, in my opinion, is very much akin to what's going on the past few days in and around the Windows image library vulnerability. Don't get me wrong, I said it was an issue - even a significant one - and I still believe that. However, in looking through the advice today, I'm a bit surprised about just how much panic there is out there; I'm even more surprised at the number of people who are recommending that we install the "unofficial patch." SANS is suggesting one of two unofficial patches, F-Secure is recommending that people install it, the Washington Post says not to wait and to "do it now", etc., etc. Practically, the only outlet not recommending the unofficial patch is Microsoft, although they do recommend unregistering the impacted dll's in the official advisory.

Here's my advice: keep in mind that the unofficial patch has its own downside. I'm sure that the patch works, I'm sure it's probably bug-free, and I'm sure it fixes the problem; however, neither Microsoft nor any other application vendor is going to support it. You are going to support it. The onus is going to be on you to make sure that you "roll back" the unofficial patch to apply the real fix, the onus is on you to make sure that your applications work, the onus is on you to make sure that the unofficial patch works the way it's supposed to. Sounds like work to me... Not to mention that in the enterprise, system admins will need to support the patch, somebody will have to test all the apps, and then test them *again* when the real patch is released.

On the other hand, what does the unofficial patch buy you? There's no malware of any significance that uses this bug yet (F-Secure has a few examples of email-borne malware but nothing with a distribution of more than a few individuals), and (as Pete said the other day) current attacks do require user intervention. Right now, it's just hype; the danger is potential rather than real... Look, I'm not saying that you shouldn't be safe, I'm just saying wait until there's a problem before applying drastic measures. Rather than being like the folks who loaded up their cars with guns and headed for the woods when "War of the Worlds" started, be like the people who listened alertly until the end of the program when Orson told us that it was just fiction.

Posted by Ed at January 3, 2006 10:46 AM