Scobleizer - Latest Comments in Microsoft releases WMF update

Re: Microsoft releases WMF update

Michiel — Sat, 07 Jan 2006 17:28:41 -0000

I've been tracking this one since the first SANS alert, and I'm somewhat surprised by the ms response.

In the initial security bulletin it was a moderate vulnerability, and people were advised to deregister the dll (even though it is quite possible for the dll to be reregistered or called directly). And given stupid advise like not to surf on unfamiliar websites or something.

The SANS people noted that this has a potential for disaster and even went so far as to advise people to install an unofficial patch (which we didn't apply after lengthy corporate discussion, we stuck to having the DLL deregister command in the logon scripts and sending out warning mails and praying traveling users would not have their machines rooted).

And then MS quietly releases a critical patch out of cycle despite what was said earlier. It just seems sloppy, and the downplaying of such a severe security hole for what can only be PR reasons is downright stupid.

Re: Microsoft releases WMF update

Eber Irigoyen — Fri, 06 Jan 2006 18:04:14 -0000

"Microsoft announced that it would release... ...on Tuesday, January 2, 2006"

"Microsoft will release the update today on Thursday, January 5, 2006, ***earlier than planned.***"

what?

Re: Microsoft releases WMF update

Ed Bott — Fri, 06 Jan 2006 15:38:00 -0000

> The flaw he cited was nowhere near as dangerous as the WMF exploit. I would not have made the comparisons he did.

Jake, see my follow-up post (linked from the original post), which contains an example of a "highly critical" Firefox bug with working exploit code in the wild. Guess how long it took to get patched?

http://www.edbott.com/weblo...

The point is not that Firefox sucks, too. The point is that it takes time to patch a complex piece of software. That's true of Windows and Firefox alike.

Re: Microsoft releases WMF update

Christopher Coulter — Fri, 06 Jan 2006 13:40:57 -0000

Now that WMF outta the way, McDonald picked up Chinagate...fyi.

Re: Microsoft releases WMF update

Christopher Coulter — Fri, 06 Jan 2006 12:03:22 -0000

You know, for all the PR money MS spends, they’re really quite stupid about the “Relations” part.

Yeah, never (quite) understood that part, PR crisis after PR crisis, granted the Media pays 10 times more attention to anything they do, but after awhile you'd figure they'd learn to sing. Half the fault can be placed on Wagged, in not having to fight for the account and sending forth legions of poorly trained newly-minted college-grads as frontline cannon-fodder troops. Volumes and volumes could be written on press hate of Wagged, as half the time it's not Microsoft itself, rather it's the Devilish minions doing their bidding.

But on one of my early Pocket PC era visits to the Campus (back when I was loved and adored, instead of hated and libeled), and seeing how Microsoft employees treated their contractors and other 'wrong color' Badger's, in front of a gaggle of press no less (i.e. like slaves) quite Medieval actually, it sort of all crystallized for me. They see themselves as super-humans, an elite race above and beyond normal mere mortals. Badge racism as an art form. Basically it comes down to a geek form of Aryanism.

The 'ends justifies the means', their far-off visions are so important, so needed for the future development of mankind, everything else is a mere flippant triffle, the public be damned. Such can be a great programmer motivation, but they take it all too seriously, constantly instilling that Microsoft only hires the best, therefore you are the best strain of humanity itself. (Well, not everyone parrots the line, as Mini-Microsoft shows).

Re: Microsoft releases WMF update

Jake Brodsky, AB3A — Fri, 06 Jan 2006 10:18:21 -0000

Read the rest of the comments on Ed Bott's Blog. The flaw he cited was nowhere near as dangerous as the WMF exploit. I would not have made the comparisons he did.

I would also point out that his use of this example is very typical of the ignorance exhibited by many Microsoft advocates: counting fixes instead of the severity of the flaws. A more careful analysis will show that Microsoft's service is nothing to brag about.

Don't misunderstand me, I integrate and specify Microsoft products at work every day. They have a GUI which is second to nobody, and a pretty nice program development environment in Visual Studio. Security is there, though it's hardly used due to the cultural history of the transition from some poor long term choices in earlier 16 bit Windows releases.

Ultimately, it's a good client machine. As as server, it's very easy to set up, but too insecure for me to consider using it on the Internet.

I am dismayed by the very stilted perspectives many exhibit on this issue. Yes, this was a Zero Day exploit. We can argue forever about whether this or that system architechture favors such flaws. What I care about is responsiveness. This was a nasty flaw. It will continue to haunt unpatched Microsoft platforms for many months to come. As responsive as Microsoft was, others have done much better. There is room for improvement here and all of the apologists out there ought to acknowledge that fact.

Re: Microsoft releases WMF update

John C. Welch — Fri, 06 Jan 2006 05:41:41 -0000

The whole "We'll update on 10 Jan" was stupid to begin with. When you have a bug that people are getting attacked through, you don't pick an arbitrary date. You release the patch the very nanosecond it's ready.

You know, for all the PR money MS spends, they're really quite stupid about the "Relations" part.

Re: Microsoft releases WMF update

Tetra — Fri, 06 Jan 2006 04:58:07 -0000

From Ars Technica:

"The bug is found in all versions of Windows from 98 to XP, and affects both the Windows 95 and NT codebases. Unfortunately, users of Windows 98, 98 SE, or ME can do little more than punt, as the patch is not available for those operating systems. Microsoft only updates older OSs if it judges a security issue as critical, and it has found a loophole in its own rules by simply declaring the issue "not critical" for that particular software.

Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions."

Bwahahaha.

Also, this is kind of a misleading play on dates:

"Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006..."

...this should be: ...announced on January 2, 2006 that a patch to fix a critical issue that was found on December 27, 2005 would be available on January 10, 2006. This date was pushed up to January 5, 2006.

10 days wouldn't be too bad if this was a non-critical exploit. I, and many others, would appreciate a quicker turn-around time.

Re: Microsoft releases WMF update

Christopher Coulter — Fri, 06 Jan 2006 03:49:37 -0000

Claiming victory on this one is the absolute height of indifferent arrogance, humility is seriously in order. But in the parallel universe that is the Redmond bubble zone, any disaster always has happy spin doctors working overtime to polish the story and send out talking points (that the bloggers and zealots eat up).

So don't go smug, if (they) do I just might zap my biggie Air Force systems friend a little memo'ed 'APB'. (Member that Air Force splash from years past? Just took a domino push. ;) About the same timeframe as the Kim Kommando and NEC Tablet blowout). Ahh, fun roller coaster times, that.

Re: Microsoft releases WMF update

Kirupa — Fri, 06 Jan 2006 02:57:22 -0000

john - I uninstalled the unofficial patch from Add/Remove Programs and installed the MS version.

Re: Microsoft releases WMF update

John — Fri, 06 Jan 2006 02:18:54 -0000

Robert, if you've already installed the unauthorized patch from Hexblog, how do you handle the official version? Will Microsoft release any info on this?

Re: Microsoft releases WMF update

met — Fri, 06 Jan 2006 01:59:43 -0000

oops

Re: Microsoft releases WMF update

met — Fri, 06 Jan 2006 01:59:27 -0000

Why was my comment taken off?

Re: Microsoft releases WMF update

met — Fri, 06 Jan 2006 01:27:03 -0000

anon:

brave souls? :)

But I do echo your sentiments.

Re: Microsoft releases WMF update

anon — Thu, 05 Jan 2006 23:57:18 -0000

"Microsoft is more responsive than people give them credit for".

Great cheerleading. You almost had me started.

The exploit was made public weeks earlier, just as Microsoft's employees go on vacation. That's "made public" - it was probably being used by blackhats for months before to steal data from people's computers without anybody's knowledge. Within hours, exploit code was widely available.

For an exploit code that affects every version of Windows from 3.1 to 2003 64-bit server edition, Microsoft's security response was far from good.

During the holidays, Microsoft employees blogged about it like they were more interested in going on vacation than fixing the problem:
http://blogs.technet.com/ms...

"Hey, happy new year!"
"Everything's cool!"
"There's NO WAY you could get hit, guys!"
"We know about the problem!"
"Uh, yeah, we're 'working' with antivirus companies on the problem." (like they are responsible for it at all)
"Have a safe and happy New Year!"

Let's not get carried away, especially since the fix became available from third-party sources (doing most of the work for Microsoft) well before it was made available from Windowsupdate.

What was the reward for those brave souls who came forward to fix the problem for a company with a monopoly and $50 billion in the bank? Microsoft discouraged people from installing an "unapproved" patch.

Re: Microsoft releases WMF update

Innocent Bystander — Thu, 05 Jan 2006 23:42:10 -0000

Good to see they can jump through their tails when they need to. A bit sad to see them need to so often. Ounce of prevention and all that.

Re: Microsoft releases WMF update

J. Random Poster — Thu, 05 Jan 2006 22:00:42 -0000

Jonathon,

Windows will NEVER get a real security model. The hope it once had of being as securable as VMS was dashed when Cutler's work was botched by the Evil Empire. "Security" in windows will never get beyond the hand-waving and pretending level, and that is why Linux will replace it on the server, and ordinary desktop users will just continue to suffer until they wise up and buy a Mac.

Re: Microsoft releases WMF update

J. Random Poster — Thu, 05 Jan 2006 21:57:25 -0000

Hold the phone.. Kudos? For remedying a really bonehead bug? How about shooting the idiot who thought that the windows metafile was a good idea in the first place?

Re: Microsoft releases WMF update

Ken Camp — Thu, 05 Jan 2006 21:36:56 -0000

Kudos to Microsoft for going forward with a release out of cycle from the "patch Tuesday" routine. That was warranted. But as much credit goes to SANS for the pressure on Microsoft to do this. If SANS hadn't been as vocal about it, it would not have rolled early. SANS reputation added pressure to Microsoft to perfom, and kudos to MS for stepping up and showing they can when the pressure is on.

Re: Microsoft releases WMF update

/pd — Thu, 05 Jan 2006 21:31:56 -0000

Robert, is Good but yet not good !!

good that MSFT is being rapidly active
Not Good that MSFT did note complete pa roper rsik assessment on WMF format before production service

!!!!!

Re: Microsoft releases WMF update

Jonathon — Thu, 05 Jan 2006 21:18:00 -0000

Seriously, at what point will Windows get a real security model?

Re: Microsoft releases WMF update

Brian — Thu, 05 Jan 2006 21:17:40 -0000

Kudos to the security team and management for their flexibility (and PR, no doubt, for raising the roof). Let's hope it stems all future code execution through graphic files (sheesh!).

I'm still a little dismayed at the security statements that this isn't a critical matter for the legacy OSs...

Re: Microsoft releases WMF update

scobleizer — Thu, 05 Jan 2006 21:15:37 -0000

Jonathan, read Ed Bott's comparison to Firefox: http://www.edbott.com/weblo...