Slashdot Mirror
Microsoft to Patch WMF Exploit Early
Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm ET, instead of Tuesday, as originally planned.
Microsoft writes: "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."
Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.
It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.
Virtual Betting on Facebook for non-geeks.
Thank you for your interest in obtaining updates from our site.
To use this site, you must be running Microsoft Internet Explorer 5 or later.
To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.
How Jaded Are You?
No problem... there's plenty of other exploits for windows.
testing has been completed earlier than anticipated
Sure.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
...only 10 days too late...
---
tis is not a FP
Maybe it is just me, but 8 days for a tested patch does not seem that long. However it was a 0 day which made this exploit special.
"in response to strong customer sentiment" Ie we look foolish that the community was able to fix it sooner than we were. Here you go, we're not that bad afterall, see?
Let's be friends again.
Slashdot # 199661 the number that's the same upside down and right side up
http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx
WSUS picks it up on synch so start deploying once you've tested it internally. 5 days early? Not bad. Not great, but an official patch is always welcome. Hats of to the SANS team for applying the pressure. It's unfortunate that they were not mentioned in the Acknowlegements section of the MS06-001 release notes.
They would have released it earlier, but their test machines kept getting hacked...
20 mil and I will! Learn Esperanto with 20M others.
Figures it comes out the day after I patch all the machines with the unofficial patch. Any idea of compatibility? Install microsoft's patch then remove old patch?
Of course, if Linux became the mainstream desktop OS, this would be a non-issue.
The security update will be available at 2:00 pm PT as MS06-001. In any case, I'm glad to see Microsoft listening to customers and security advocates to release before the regular monthly patch date.
Is really a problem of customer sentiment, or is actually the public embarassment of a third party releasing a patch quicker even without the source code of the libraries?
--
Superb hosting 20GB Storage, 1_TB_ bandwidth, ssh, $7.95
Let me guess, they've added a warning message that says you're about to download or open a WMF then let's you do it anyway? It took them all week to develop because they needed to translate "OK" and "Cancel" to 47 different languages.
I wonder if this actually fixes the problem or protects against it like Windows OneCare does.
This message will self-destruct in 5, 4, 3...
"It appeared that there had even been demonstrations to thank Big Brother for raising the chocolate ration to twenty grammes a week. And only yesterday, he reflected, it had been announced that the ration was to be reduced to twenty grammes a week. "
Somebody within M$ finally awoke to the public outcry from the sysadmins and ISC. Leaving your customers swinging in the breeze for weeks to release such a critical patch is criminal.
As far as I know, this vulnerability dates as far back to Windows 3.1. A large number of users still run Windows 95/98 who can't get the patch from Microsoft. I guess it sucks to be them...
Or maybe just pie.
1 /inside-candy-pie.jpg
http://images.usatoday.com/life/_photos/2005/06/2
He who knows best knows how little he knows. - Thomas Jefferson
It's 4PM now, so I fixed that for you.
It's the old "SCOTTIE" trick. They say they need until the 10th to test and patch and make sure it works and then they WOW us by being able to release it early. They had it ready before now, they are just trying to salvage what little they have out of this fiasco.
Well, I guess it already is out. Guess they got their announcement mixed up.
Here's the actual link to MS's site that describes the patch: Microsoft Security Bulletin MS06-001
"When will the patch for the patch be released?" asked Fox News correspondent Bubbles McConnifer, causing the press corps to giggle like schoolgirls in heat.
"Smile when you said that, bitch," growled a visibly angered Microsoft, who then motioned to two pinstripe suited thugs who escorted Ms. McConnifer from the press conference.
"Any other questions, whores?" asked Microsoft, placing fists on hips and allowing his 'MS Certified Otakus Rule!' T-Shirt to be seen. His query was greeted by silence. "Well alright, then."
I'm sorry man, maybe in another couple of years? :)
I'd like to know how many people downloaded and installed the "hacked" version(s). Any firm numbers out there? Thousands, hundreds of thousands, millions?
How to Download YouTube Videos
Our customers are getting pwn3d.
Reality is defined by the maddest person in the room
Damned if they send out patches as they're made (too many, too confusing) and damned if they wait 'til Patch Tuesday (negligent, inconsiderate).
We can't have it both ways, and neither should they. I say send out patches as they're made and let the sysadmins be responsible for whether they can keep up or not. It may be difficult to admin many machines that have to be patched but I'd rather have fixes available ASAP and put the burden on IT to apply them.
Yeah, there are patches that will break stuff and ample testing should be done anyway...but does rolling them all into a Patch Tuesday really change that fact? Probably not.
With this sentiment, we can put more pressure on Patch Tuesday for what it really is -- a Trustworthy Computing PR stunt in which the number of fixes and vulnerabilities seems to be lower (since we're only patching once a month...maybe).
All that said, kudos to MS for reacting...but unkudos for taking this long...and major unkudos for being naive about the WMF design to begin with.
The exploit writers have had the exploit ready for quite a while now.
While MS was 'testing' everyone has been installing 'fixes' from other sites..
Even IF their patch was not 100% it wouldn't really have mattered in this case.
There was a gaping security hole in their OS and they still needed 12 days to come up with a fix!
For such a large company whose software is being used by *millions* of people worldwide and 7 billion a quarter profit, they've sure taken their sweet time!
Why don't they take some 0.01 procent of that 7 billion and test/release it sooner?
... meaning all us east coast admins will be staying late tonight. Joy.
"Powers. I have them."
I had this virus on my desktop spamming it's false alerts since as early as last week. After I fonud the proper guides on how to remove it, and an arguous 5 hour sessions of reboots, safe mode runs, virus scans from 5 different programs, and constant tweaking and adjusting, I finally removed the virus on my own. Thanks Microsoft...
Intrigued with the broo-haha surrounding WMFs, I did a search for them on my machine. The only WMFs I found were Microsoft's clip art. Which begs the question: is there anyone out there who isn't Microsoft who commonly uses this file type?
In other news, Microsoft bought out the company that originally patched the flaw. ;)
-Chris
Time IQ - Web Based Time Tracking
To parent: If you were in change of Microsoft's update team, would you spend your time developing an update system for various other companies products if you had one you knew would work 100% of the time for the required task?
I'm no anti-microsoft zealot as I enjoy using other products, but the groupthink on this website is rediculous.
Telling everyone that they are going to wait till Tuesday to patch the problem, then releasing a patch 5 days earlier might actually be quite a neat trick.
I'm sure a lot of people out there who were planning to taking advantage of this problem have been thinking that they have till Tuesday to write a really good exploit, and therefore not hurrying too much.
Now Microsoft come along and patch it early.
I don't know about anyone else but I was expecting Monday do be a day from hell...
Does this mean I can't have an image file that creates bouncing pictures hopping around on my screen with some guy screaming that I am looking at gay porno?
srsly, fuck u miKKKro$haft
Actually they are doing this to save face. The reason it is being put out "early" is because someone else wrote a fix for it already. People apparently flowed to this other site for the patch, and people started wondering what the problem was. Here was a person who without the Windows source fixed the bug, while Microsoft itself with full access to the code was delaying. In order to save face they had to rapidly deploy it rather than sit on it as they normally do.
Microsoft Sucks, F/OSS Rocks. I get mod points now right?
I'm only getting hits on 2000, XP, and 2003: According to the Financial Times article highlighted at Drudge, Hyppönen said the vulnerability is supposed to hit "every Windows operating system since 1990".
So is there a patch for older versions of Windows?
I think that by this point Microsoft is pretty much numbed when it comes to public embarrassment.
All movements for social change begin as missions, evolve into businesses, and end up as rackets.
Funny, yes, but not true. The patch is available here:
http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx
Just downloaded it with Firefox. It's just Windows Update that requires IE.
They just blocked the execution of the vulnerable function. This to me a mitigation method not a patch. Think of it as, there is a vulnerability in mod_rewrite within apache, and a third party "patch", just disables it, to secure apache.
This wouldn't have anything to do with the fact that the fix got leaked early, would it?
http://grc.com/sn/notes-020.htm
Insert Sig Here
The problem MS has with their patching strategy is that problems are not one size fits all. There are things in various parts of Windows and other MS products that are low priority to update and will not be happy if I have to push out something out of cycle. On the other hand, there are very serious critical flaws that are very high priority that I would like to have immediately and would push out to every machine I could find immediately.
All problems are not the same quality or severity so why is MS trying to treat them as such?
Boy, all those guys running web servers under DOS 5 must be pissing their pants!
The world's burning. Moped Jesus spotted on I50. Details at 11.
Use the exploit to their advantage? Just change their logo to a WMF and use the exploit to push the patch out?
Prove it.
ever. Or maybe I've just had too much diet coke.
Somehow I would have liked this to not come out until then, esp. since so many companies refused to install anything non-MS.
I did install the patch on my networks, and now I feel like my time was wasted and the stubborn people won.
I guess next time I go with the lazy people.
Here is the FAQ from the KB
-----
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) were previously listed as affected, but are no longer listed. Why is that?
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates. For more information about the security update support policy for these versions of Windows, visit the following Web site.
-----
Although I do believe they should be patching this.
Posted by CmdrTaco on Thursday January 05, @12:56PM (3:56PM EST)
.WMF-exploit today at 2pm EST
Chran writes "Microsoft has just announced that they will release a security update for the
talk about releasing the news late.. the patch was already out by the time slashdot had the "news" that microsoft would be releasing the patch.
Obviously they looked at how he fixed it, snarfed it, and now we will see how 'MS innovation' spin produces a hotfix in record time.
They would have released it earlier, but their test machines kept getting hacked...
I heard it was because they were having a tough time to come up with the $40 a computer needed to aquire the software to distribute in the patch.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I vote this the most misinformed message of the day! (re the WMFs)
So all of you out there with WMFs with SETABORTPROCs in your META_ESCAPE records, beware!
(Not sure what I just said.)
His wife could not be reached to comment on this!
***rimshot***
Thanks folks! I'll be here all week. Don't forget to tip the wait staff.
Translation: "Our ass needed covering even earlier than anticipated."
Tag lost or not installed.
By your logic, Microsoft also has not patched the vulnerability. From the MS006-001 FAQ:
So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.
Causation can cause correlation
Great you have done a Case study on me..
SO Now EVERYONE know what i'm running and what i may or may not be Vulnerable to.
I wouldn't doubt that Xerox and rest called MS and Blew their top.
Not to mention you can just goto http://www.microsoft.com/resources/casestudies/ for a list of targets
We are a smaller shop we have about 100 desktop/servers. I called and voice my oponion in a calm and Firm fashion. I guess ALOT of others did as well.
I'm conviced that it should hit every version of Windows. I have been embedding wfm for my thesis and proposals win 1998. I had lots of memory problems using either Word or Word Perfect to open those documents. Even with only a few wmfs embedded in Excel, or other third party applications (that were obviously using windows API to render them). Then I switched to StarOffice and the problem vanished... for me. My supervisor, with a much more powerful computer still had trouble. I guessed at the time that it was some kind of memory leak in the Windows rendering engine, and since StarOffice was cross-platform, they were probably using their own code to render it, and not the API. Back then I only thought how nice it was to be using StarOffice instead of constantly rebooting the computer and getting nothing done. I never thought back then that memory leak could mean buffer overflow which could mean security vulnerability. I have the feeling that it's related. Of course I'm not a computer guy. Obviously the bugs were never fixed from version to version, and I can't believe I'm the only one who noticed that wmf files, which are not supposed to take that much memory compared to raster images could turn into such a nightmare. My supervisor's Word still renders horribly wmf files that show very nicely in OpenOffice. To this day I still include my graphs as raster images for his sake.
I like my dinosaurs feathery, and my pterosaurs hairy (or is it pycnofibery?)
The real reason MS posted the patch is shut ya' all up and stop the blogsteria from continually feeding the tech media frenzy. My place of employment (30,000 users) has not had any problems with exploit, At my daughters place of employment (180,000 users all over the world) IT reports no problems with the exploit.
But I want to thank you all for wonderful week of waiting for the sky to fall!
"Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?n /MS06-001.mspx
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions."
from
http://www.microsoft.com/technet/security/Bulleti
Oooooooh boy, I feel for those folks that have older machines... they're basically fucked. MS doesn't even call this "critical".
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
Early would have been before the original flawed release, surely?
Do you see what I did there?
The - final? - twist in the long, strange trip of the WMF bug - the vulnerability that just keeps on giving - has been revealed by H D Moore, the author of the Metasploit exploits (which is now on a third generation and even tricksier than ever!:)
After all the jokes about WINE compatibility... it turns out that WINE is vulnerable, too!!
To quote the words of a song by H D's namesake, Dudley:
(And I'm posting from a Thinkpad running Mandriva GNU/Linux, the first time I've been 100% Billy free at work as well as at home since 2000, so I'm allowed to laugh... no WINE for me cos I only run Free software *smug* :)
"Early"? It's too late to be "early".
Where are the patches for Win 98, Win 98 SE, and Win 98 ME? Microsoft rates this as a critical exploit and is supposed to release patches for critical exploits so where are they? Millions of people still use these operating systems.
-- SKYKING, SKYKING, DO NOT ANSWER.
I never thought back then that memory leak could mean buffer overflow which could mean security vulnerability
In this case, its not a buffer overflow bug. In fact, its not even a bug, per say. Its a feature, or at least a really bad design flaw that no one has stumbled upon/abused up until now. See F-Secure's writeup.
#include <signature.h>
Believe it or not Dos is still run in production. I know. I have dos machines on my network.
Charles Wyble System Engineer
Patching a few hundred servers is not how i wanted to spend my evening.
---- Booth was a patriot ----
I would rather have them release it as soon as it is ready. Even if it is done in steps.
Step 1) Release a fix that will close the security leak 100%, even if it means some things will not work anymore
Step 2) get a relase that fixes everything so everything works as it should.
Step 1 can be done in hours. Step 2 then has much less presure. It can be released when ready.
I can't understand how you can put a date and even less a time on a security patch. What if they are ready earlier? What if they are not ready at all?
Don't fight for your country, if your country does not fight for you.
I'd bet that 2000 SP4, XP Professional, and 2003 Server hardly took any time at all to prepare.
The x-64 2003 server and x-64 XP PRO probably required a bit more preparation and testing.
But someone in our party just had to order the 2003 Itanium-based product and make us all wait!
Ilfak's unofficial patch did not require a re-boot. Microsoft's does. Supposedly both patches do exactly the same thing.
I keep clicking there but nothing happens.
Unless they're including a time machine in the patch, I would call this release "late".
Microsoft's policy is that they will only release critical patches for 9X/ME systems because they have EOLed them. Their study of the vulnerability found that while those systems are vulnerable, that it is not critical because no attack vector has been identified. Whether or not you trust their assessment is another question, but that's why there's no patch for them. See questions 2, 3, and 4 in the FAQ.
n /MS06-001.mspx
http://www.microsoft.com/technet/security/Bulleti
I suspect 3.x is the same, but really, if you're using 3.10 as a desktop...
Ilfak's patch required a reboot to start applying to new processes, rtffaq.
I couldn't seem to find it.. is Microsoft doing a standalone distributable update (like for the flaw that took out some news networks) for large amounts of computers? A link would be helpful if someone had it.
space is pretty cool.
This is "Less late".
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
As an update to the story, Microsoft has announced that the patch release was a hoax.
Hackers were supposedly able to infiltrate Microsoft systems after Bill Gates viewed an email in Outlook containing a WMF file diguised as a GIF. Other reports say Gates visited a site containing the compromised file while using IE.
Bill Gates had this to say: "That's a lie. Everyone knows that I'm too smart to use IE or Outlook. Do I look like a retard to you?"
Microsoft claimed that they had no intention of releasing a patch early, especially a working one.
From the press release:
We at Microsoft have specific guidelines to prevent this sort of thing from happening. A Windows platform that works perfectly would damage the booming IT industry. Microsoft is dedicated to providing a safe haven for up and coming sys admins and tech support specialists
When asked about their aborted plans for the security fix, the PR spokesman replied, "This vulnerability has been fixed in Vista. Had the hackers not maliciously spread this patch, users could have oficially fixed it by shelling out $1,000 for Vista when it is released."
In a final press release of the day, Microsoft has discovered a new vulnerability:
It has been discovered by a team of experts at Microsoft that all Windows machines will explode violently the day after Vista is released. This problem does not exist in Vista, however. Becuase no known exploits exist for the vulnerability, the status is set at Super-Cute-Pink-Bunny-Harmless. Since it has such a low status, a patch should not be expected until a month after Vista has been released.
If this signature is witty enough, maybe somebody will like me.
Apparently there's nothing for 98 or ME users...
Anyone who uses Cross-Over Office, Cedega, or plain old Wine (all 10 of you) -- your system is vulnerable to the recent WMF exploit. Loading an office document in Cross-Over that has an embedded WMF file will execute arbitrary code on your system. Gamers -- any games that display user-defined graphics (avatars, etc) and accept the WMF/EMF formats, could be exploitable. A patch was submitted to the Wine development team, but it may not be available for a while (especially if you use a commercial derivative). Please see the following URL for more information:s ure/2006-01/0173.html
http://archives.neohapsis.com/archives/fulldisclo
Actually, we still have a number of old legacy apps for some specialized hardware that we're still using DOS software for. Fortunately, all but one will run in a DOS session under Windows. I actually still see quite a lot of DOS software out there, particularly with Point of Sale systems and the like.
The world's burning. Moped Jesus spotted on I50. Details at 11.
-------
Userfriendly? Sure it is, unless you aren't computerfriendly!
/me to a classmate on FreeBSD
So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.
The MS patch removes the call in the WMF rendering engine that calls the gdi32 Escape() function with the SETABORTPROC parameter. The 3rd party runtime patch thats been around 'for a week' killed the Escape() function's ability to receive the SETABORTPROC procedure in _all user32.dll bound applications_ called by _anything_ for _any purpose_, 'breaking' more than just the WMF rendering caller.
Microsoft couldn't have done any better because this wasn't a coding error like a buffer overflow, it was an ancient long forgotten genuine feature.
"If Microsoft Doesn't Fix Windows 98/ME, GRC will. Microsoft has "reclassified" the WMF vulnerability in Windows 95, 98, and ME as non-critical. This means that it will probably NOT be updated and patched for the WMF handling vulnerability that those older versions of Windows apparently have."
So, if Microsoft does not produce an update to repair those older versions of Windows, GRC (Steve Gibson) will make one available.
Source: http://www.grc.com/sn/notes-020.htm
- I just think that maybe in near future patches for Windows from outside Microsoft will became more common...
-xet7
Not true; see http://it.slashdot.org/comments.pl?sid=173098&cid= 14405082
Or so we have to assume. A real blackhat isn't going to advertise his source of income so that patching makes his goldmine obsolete. The fact that we only see dumb, recycled exploits over and over again may very well be caused by an evolutionary proces. (Nice, huh, how I can get an ID remark even into a Microsoft topic?
What I'm saying is: there is a very real possibility that this exploitable bug/feature has already been used to enter your network. To rob you blind, change that one number in a CAD-assisted engineering plan for that new super-structure/nuclear reactor, kill that one patient, who will tell?
The rest of the story I'll leave to your imagination, lest I be accused of bashing.
My XP PC (which has been in suspend mode for over a week) woke up and I loaded the new Java runtime and Microsoft security patches. The patches took way too long long to load and CCAPP.EXE refused to exit when shutting down. Restarting got me to a login screen with no user icons - my user account had been deleted! Now I get to try to find and restore all my old user files and registry entries. Joy, joy.
Has anyone else noticed a delay when saving a file in the GIMP after applying the patch?
I'd rather have someone respond than be modded up.
that the unregister workaround only cut off some of the nastier attack vectors but not nessacerally all of them.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
For example, old software from industrial robots. In my university there's some robots that work only on DOS. They have there some old PC's with Windows 95. The program runs in DOS mode. But of course they are not connected to the internet. yeah those robots are old but are fun to play with. I guess they don't want to spend a lot of money on new robots that we can easly damage :D.
lynx.browser.org
I am using 5.10 Ubun oh wait...
CONSPIRACY THEORY: This is how they will finally get everyone to upgrade, from fear. But I will continue to use my WIN98SE box, running my favorite PCB CAD program.
Insanity: doing the same thing over and over again and expecting different results. Albert Einstein
A remote code execution security issue has been identified in the Graphics Rendering Engine that could allow an attacker to remotely compromise your [Windows computer].
I mean, what's next? Opening a mis-formed text file with Notepad gives an attacker root access?
But I think the more serious problem is that MS doesn't release patches when they're ready, except in cases when it's very serious (like this). What if this had happened a week from now, but wasn't discovered for yet another week or something? Would they still release early? End-of-life schedules also present problems, with older releases often being affected by new vulns but not being patched.
Eat me deep
It amazes me that people still go out of their way to make themselves as vulnerable as possible. My Antivirus progam was catching these WMF exploits well before this patch was released - does no-one run AV software? Finally, machines with DEP enabled (software or hardware) were, according to MS, not vulnerable to this attack either.
I can remeber when getting a virus via an image was just an urban myth - well done MS for making it a reality.
I'm pretty sure that IE 5.0 for Windows 3.1 can.
Whenever I hear the word 'Innovation', I reach for my pistol.
Windows 3.0 was the last release with 8088 hardware support, you insensitive clod.
Why? I have an older computer. Win 98 SE does everything I need just fine. Why do I want to buy a new computer just so I can pay Microsoft for a newer operating system that I don't need?
-- SKYKING, SKYKING, DO NOT ANSWER.
Microsoft didn't mean for this to be released this week.
+ WMF+patch/2100-1002_3-6018263.html?part=rss&tag=60 18263&subj=news
http://news.com.com/Microsoft+inadvertently+leaks
I noticed the little shield icon so started clicking to install the patch. When it was done, it told me that I should reboot, so I did. I wasn't paying attention when the computer came back on, so it went into the default OS. So now, I'm happily typing away in Linux. Which reminds me that I need to change the default OS back to Windows before my wife notices.
"Microsoft has completed the investigation into a public
report of a vulnerability"
"Microsoft disclaims all warranties, either express or implied,
including the warranties of merchantability and fitness"
"We have issued a security bulletin to address this issue"
"The information provided in this advisory is provided 'as is'
without warranty of any kind"
"For more information about this issue, please review the
security bulletin"
"In no event shall Microsoft Corporation or its suppliers be
liable for any damages whatsoever"
this may have been answered before, but I have used IEradicator, and I need a link that does not require me to use Internet Exploder to download the patch. Therefore, if anyone could direct me to such a link, I would be gratefull.
GENERATION 667: The first time you see this, copy it into your sig on any forum and add 1 to the generation
1. People like to b*tch about everything no matter how good they have it.
2. Most of the people here would still hate Microsoft even if Bill gave up 75% of Microsoft's yearly profit to fund cancer research. You'd all whine "Why can't Billy give 90%, that evil, crooked b@stard."
All you Billy-bashing knuckle-draggers can't even fathom the fact that if Mac OSX or RedHat were the top dog in enterprise sales and Microsoft was the undercapitalized weakling, viruses, worms, and spyware would no longer exist for the Win32 platform. Why would the hackers and script kiddies spend all time and effort trying to target only 20% of the market?
You also don't have the mental capacity to appreciate Microsoft's innovative contributions to the IT industry, either directly or indirectly. Many of our current technologies were spurned directly from the spirit of competition against Microsoft. So MS buys someone out. Why hate MS? Why don't you hate the seller for selling out? You are all just looking for something to whine about.
Oh and if you claim the they are really engineers then that is good. We should be able to find the person that signed of on this wmf code and promote him to head of software development at MS.
Cause lets face it, nobody has even been fired for putting bugs in MS software.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
You should look up the word "spurned". I think that the word you want might be "spawned". At any rate cowboy "spurned" has got nothing to do with spurs.
How many beans make five, anyhow ?
Thank you for your interest in obtaining updates from our site.
..... I use firefox so I don't have to use their crap any more than I have to, but I have to use their crap in order to fix another piece of their crap .....
To use this site, you must be running Microsoft Internet Explorer 5 or later.
To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.
How bloody typical
Has anyone else noticed that after installing the "WMF Patch" you now have a "My Websites on MSN" site in your "My Network Places" and that Firefox v1.0.7 now hangs on load? That's a good way to win the browser war. Great job Microsoft!
word and write files can host and render WMF files internally. the fact that nobody has written a file that uses that as an attack vector doesnt mean that it isnt possible, only that there is such an easy (and consistent) route to owning winxp that nobody has bothered with the older systems yet.
:)
After all, if you are a bot author, would you rather build and test for winXP or support legacy Win98 boxes with their weaker networking stack, device driver problems, etc. Think of all the support calls
Wow. I'd say it's not a feature, or a design flaw, it's actually a designed in back door to execute arbitrary code contained within the WMF object.
It proves the point so many of us have observed: Friends don't let friends put Windows on networks. Its 'trust everything' design should have been revisited at the same time as MS built their first network stack.
Justin.
You're only jealous cos the little penguins are talking to me.
Yes, chawley. Thank you for pointing that out. Now let's see if people can get past one inappropriately used word and focus on the point of the comment.
To paraphrase:
Except that your car is so old it doesn't really have keys or anti-theft protection, so criminals keep taking it and using it to try to run other people off the road, litter the streets with spam, or create traffic jams of old beaters tying up the interstate so no one else can use it (DOS attack). It's so old that it's just not safe any more, and should not be allowed on public roadways.
Besides, car prices have changed. That new car costs about half of what your old monitor did way back when... ;)
I do not fail; I succeed at finding out what does not work.
Oh but I did, my dear good sir, I quite got your point (just had to open my mind a bit) thought I'd point out the mistake, though. Must admit I thought it was a cowboy getting a bit carried away. For the record, I quite agree with you - but I did think that the mistake would cause a smile. Worth underlining it for the smile, I thought. Didn't mean to bother anybody. Mes excuses.
How many beans make five, anyhow ?
> but really, if you're using 3.10 as a desktop...
No, you see, I never upgraded to 3.1, because it requires a 386 CPU...
Cut that out, or I will ship you to Norilsk in a box.
Since my computer is running MS-Windows 95 (when it runs MS-Windows), it's safe.
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
Ooops, sorry. I was reading non-threaded.
No, you see, I never upgraded to 3.1, because it requires a 386 CPU...
That's not true. Windows 3.1 runs happily on a 286 provided you have enough ram. You just don't get the benefits of "386 Enhanced Mode".
Yes, it does. My Win 98 SE box is behind a stout hardware Linux firewall that has a shitload of ports blocked off. The Win box itself has a software firewall, grisoft avg, and several malware/spyware removers. I simply won't run a Windows box on an external IP address, no matter what version of the operating system. I just don't trust Microsoft. I also have a Win 2K Pro box btw and I take the same precautions with it.
-- SKYKING, SKYKING, DO NOT ANSWER.
And yes, I have a 1995 Jeep Wranger. It gets me around town. I don't want to buy a new Jeep because the stuff being put out today by Chrysler sucks. I've added anti-theft protection to my 1995 Wrangler. I keep it in tip top mechanical condition so it's safe. And a new jeep costs a shitload more than what I paid for my Jeep in 1995.
-- SKYKING, SKYKING, DO NOT ANSWER.