Friday, January 06, 2006

WMF patches and Liveshield

One of the most interesting aspects of the recent wmf drive-by attacks is that an 'unofficial' patch was created for the vulnerability as well as some workarounds by Microsoft. The unoffical patch is a one-off example of a capability that we have in Deteremina's VPS, called 'LiveShield'. For some vulnerabilities (didn't need it in this case), we generate a similar out of band patch that goes after the root cause of the vulnerability.

There are several critical differences in what was done by Ilfak and what LiveShield does on a regular basis:
  1. We've got a delivery mechanism that gets this out on all of your machines in secure fashion
  2. It's not a one-off event
  3. It doesn't require extra configuration or a reboot of your computer to take effect. This is really important for servers.
  4. It doesn't have to be undone when you get the patch from the vendor. Here's an example of a message sent out by a patch management vendor last night:
"If you have un-registered the shimgvw.dll files as a temporary workaround for this vulnerability, or you’ve installed a third-party patch to address the WMF vulnerability, xxx recommends deploying the Microsoft MS06-001 patch, reboot, then re-register the .dll files and/or uninstall the third-party patch."
With our LiveShields, you wouldn't have to do any of this to deploy the patch. It just happens automatically based upon our core matching technology.


Post a Comment

<< back