WMF Patch Timing: Brilliantly Evil?
If you’ve followed the “WMF Vulnerability” that’s been all over the security blogosphere, with leaks into the mainstream media, then you know that today Microsoft released a patch. (If you don’t know this, please just go run Windows update.) I haven’t talked about it because I haven’t had much to add, but today’s release of an update may well have been brilliantly evil.
I think that Mike Nash is being quite candid in his post on the MSRC blog. Microsoft would really like their customers to patch, and those customers have a much longer memory for patches that cause failures than patches that just work. (In some ways, this is a displacement of the sysadmin’s curse.)
The timing of the patch was driven by Microsoft’s need to understand the quality of the patch before shipping. It was also driven, in part, by real world exploits, but of yesterday, Mike Reavy wrote:
I just wanted to provide another quick update on the WMF vulnerability situation. Microsoft is continuing to work on finalizing a security update for the vulnerability in WMF that is currently being exploited by some malicious attackers. The update has been on an expedited track since Microsoft became aware of the attacks on December 27th. We still anticipate releasing the security fix for this issue on January 10, 2006, once testing for quality and application compatibility is complete. (“WMF Vulnerability Security Update.”)
I’ve been thinking a lot about the game theory aspects of this, and asking myself, when is the ideal time to release another vector, say a mass mailing worm? The worm author has to trade off time testing their worm versus the chance that a patch would come out before they released. So the worm author wants to release fairly late, but not so late that he’s scooped by other worms, or my a patch.
In light of the strong words from Microsoft that a patch would be released Tuesday, the pressure on worm authors to release was lessened. The rational trade-off between testing and release was shifted towards a later release.
At the same time as Microsoft was making these statements, they had knowledge about how the patch testing was going. Were they misleading the hackers (and, incidentally, everyone else) in their statements before today? Was it an intentional application of lessons from game theory about the shadow of the future?
If so, I’m impressed. Evil like that is all too rare.
(Evil Santa from Janx.)
The worm authors have many others to worry about. There are people producing unofficial patches, writing IDS rules, installing mail filters, etc… I think the worm author in this particular case would just have to put it out as soon as they could. One past workable strategy has been to “ship” the sloppy version ASAP, and let the world debug it for you.
That last bit might not work today, since you’d have someone else fix it, but substitute their own C&C.
The vuln appears to have been in use since 01Dec2005. It’s interesting that IE vulnerabilities are going straight to the spyware market now.
Good points, Ryan!
Would you argue that the imminent patch release was a minor consideration, or out of consideration entirely?
I’d think that much of what you discuss works for medium to large businesses, but not home users. I know I didn’t try to get my mom to install the unofficial patch.
Certainly, knowing the patch was coming (sooner) would make a worm author want to move on it faster. But my point was that the opportunity was already shrinking somewhat even before that.
You’re right that most home users aren’t implementing a lot of clever workarounds themselves. I would hope that their home firewall and AV vendors were, though, which they would get via autoupdate.
The saddest part was watching grc.com try to be all 31337 about making the fix work with Ilfak,What a fuckin retardo.
Ryan,
Its my perception that Microsoft announcing that the patch would come out Tuesday would substantially relieve pressure on the worm writers. Do you think that the patch pressure is smaller, or not as significant as the other pressures?
I think you’re probably right that the patch coming represents a bigger threat to a worm author.