Slashdot Mirror

← Back to Stories (view on slashdot.org)

Businesses Urged To Use Unofficial Windows Patch

Posted by Zonk on from the quick-quick dept.

frankie writes "ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.

10 of 374 comments (clear)

  1. Does MS view this as important? by JonN · · Score: 4, Interesting
    So if this vulnerability is high on the seriousness level, is anyone else wondering the same thing as I am; How and why is it that Microsoft is days behind a third party in releasing a security patch? I mean this is hitting mainstream media, and Microsoft's security patch response team is being bested by some 'guy'?

    It brings interesting schemes into my mind. Oh don't mind me, I'm just going to grab my tin foil hat.

    --
    do.what.promptcmds
    1. Re:Does MS view this as important? by travisco_nabisco · · Score: 4, Interesting

      It looks like Microsoft is allowing its user community to patch problems before it can. Oh no!! That sounds a lot like how the Linux community works. Is this going to be a more common occurence as time goes on?

    2. Re:Does MS view this as important? by ArghBlarg · · Score: 3, Interesting

      This may sound mean-spirited but I think in this case, and any like it, I couldn't blame the security community if it just threw up its hands and said:

      "Oh, what a horrible situation -- we could issue our own fix that we've written to help you out, MS -- it's ready to go, we know it works -- but due to the DMCA, Trusted Computing, numerous restrictive MS EULAs and the general legal climate you and other large proprietary software vendors have created, we are genuinely afraid to release our change, as it has required us to disassemble, reverse-engineer and generally do things that you would sue us for. Sorry. Good luck to your *own* patch team."

      Why, from a moral standpoint, should anyone help MS do their QA? They certainly have proven themselves willing to sue anyone for any number of reasons relating to reverse-engineering their code -- after all, their philosophy is that no one outside of their teams should know about the OS internals in this way.

      They can't have it both ways -- either welcome the users' rights to improve the system they paid for, or don't.

      (Yes, I realize that this patch was made to benefit the public in general, and to defend everyone's systems, not directly to benefit MS. But MS does get a free lunch out of this, in some respects.)

      --
      ERROR 144 - REBOOT ?
  2. MS has to test very extensively by PIPBoy3000 · · Score: 5, Interesting

    If you're curious as to what all they do, you can take a look here. A sample quote from the article:

    In some cases, particularly when the Internet Explorer browser is involved, the testing process "becomes a significant undertaking," Toulouse said. "It's not easy to test an IE update. There are six or seven supported versions and then we're dealing with all the different languages. Our commitment is to protect all customers in all languages on all supported products at the same time, so it becomes a huge undertaking."

  3. Whoa, that's really bizarre by frankie · · Score: 5, Interesting

    This article isn't anything like the one that I submitted.

    • 2006-01-03 17:15:05 No Microsoft WMF update until next week (Index,Windows) (accepted)

    Mine looked more like this (body content from memory):

    " The usual suspects are reporting Microsoft's latest announcement about the WMF vulnerability (link to previous /. article). To quote (link to MS technet article): "Microsoft's goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins." So do you install the unofficial patch (link to previous /. article), or cross your fingers for a week?"
  4. What will be especially interesting... by Spazntwich · · Score: 4, Interesting

    will be to compare the Microsoft released patch to the unofficial one.

    It would be deliciously muddying for Microsoft if someone discovered significant parts of the unofficial patch in the official one.

  5. Exploit to fix the exploit? by OneSeventeen · · Score: 3, Interesting

    Is it possible to use the .wmf exploit to install the .wfm exploit patch?

    It's good to see that Microsoft is keeping things consistent in this new year. As an administrator, I was worried I would have to learn something new. Rinse, lather, patch, repeat.

    --
    "Now the trouble about trying to make yourself stupider than you really are is that you very often succeed." -C.S. Lewis
  6. Re:block wmf by Shimmer · · Score: 4, Interesting

    That's great, but it's all irrelevant. The HTTP 1.1 protocol says that a browser shouldn't try to guess the MIME type of a document if it's specified by the server. IE ignores this and tries to guess the MIME type anyway.

    Note the key difference between an OS (your example) and a browser (reality).

    --
    The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
  7. What happens when the official patch comes out? by WoTG · · Score: 3, Interesting

    Will Windows Update be able to overwrite the unofficial patch when the official one is released? Does WU do a hash check of some sort to verify if the files that is is replacing are versions that it is allowed to replace?

  8. Legacy apps will break by Phatmanotoo · · Score: 3, Interesting
    Like antdude said above, the real problem with this is that the exploit affects something which is actually a feature of WMF files. A feature which is used by certain apps.

    I have witnessed first hand how Guilfanov's unofficial patch will break some legaccy apps. The one in question was a 16-bit app (based on Access 2.0). After applying the patch, it was impossible to print some forms (we received an error). Sure, we uninstalled the patch and printing was OK again.

    So therefore the interesting thing about the upcoming Microsoft patch is, how are they going to patch the hole without breaking the legitimate uses of the affected gdi functions???