Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Patch WMF Exploit Early

Posted by CmdrTaco on from the well-i-guess-early-is-relative dept.

Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm ET, instead of Tuesday, as originally planned. Microsoft writes: "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."

25 of 306 comments (clear)

  1. Reactive vs Proactive by biocute · · Score: 5, Insightful

    Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.

    It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.

    --
    Virtual Betting on Facebook for non-geeks.
    1. Re:Reactive vs Proactive by targo · · Score: 3, Insightful

      It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.

      This doesn't make any sense. All patch release dates are a function of:
      1) impact of the problem
      2) complexity of required testing
      The idea being that the patch shouldn't cause more harm than the original flaw.
      If the impact is huge, testing of more obscure cases can be deferred somewhat. If the impact is small, more time can be taken.
      So if there hadn't been any customer sentiment (i.e. no one cared), it would make no sense to rush the patch and risk breaking something.

      --
      When men used to be men
    2. Re:Reactive vs Proactive by grcumb · · Score: 4, Insightful

      "If the impact is huge, testing of more obscure cases can be deferred somewhat. If the impact is small, more time can be taken."

      I'm with you so far....

      "So if there hadn't been any customer sentiment (i.e. no one cared), it would make no sense to rush the patch and risk breaking something."

      Err, that's a non-sequitur. Whether customers care or not has nothing to do with the cost/benefit analysis that decides the timing and scope of an initial patch. A software company should never rely on its customers to perform risk analysis. If it's serious (and the WMF flaw is egregiously so), then you find a way to protect your customers as quickly and effectively as you can. In some cases - though certainly not all - you can even accept shortcomings in the patch itself if significantly reduces the risk.

      The third-party patch, for example, causes issues with the Windows printing subsystem. People voiced suspicions that this might be the case right from the start, though confirmation only came through earlier today. To my mind, that was an acceptable risk. A server that can't perform some print tasks and won't show pretty preview icons is worth a heck of a lot more to me than one that's 0wned by some random script kiddy.

      And before some astroturfing twit spouts the simplistic, binary logic of 'MS is damned if they do and damned if they don't', I'd like to say from experience that deciding the timing of a security patch is a terribly difficult process. It requires the right amount of analytical skill, deep technical expertise, a healthy dose of horse sense and exactly the right measure of patience. Too much or too little of any of these can result in exactly the wrong kind of response.

      Patching is not about being a nice guy. It's not about what your customers think of you. There should be no marketing or sales angle in the creation or timing of a security patch. You determine the scope and severity of the threat, be as thorough as you can reasonably hope to be (and that's never as thorough as you'd like), and deliver it as soon as you reasonably can.

      I'm in complete agreement with this handler's diary from isc.sans.org concerning Microsoft's announcement that they would issue the patch at the regularly scheduled time. Given the severity of the flaw, it's unconscionable that they should leave their customers exposed for so long. The fact that they only decided to release the patch out of cycle in response to their users demonstrates that they're far more worried about their image than they are about their software. This does not bode well at all for them. Or for their customers, for that matter.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  2. Splendid... by Hymer · · Score: 4, Insightful

    ...only 10 days too late...
    ---
    tis is not a FP

  3. 8 Days to patch by badriram · · Score: 3, Insightful

    Maybe it is just me, but 8 days for a tested patch does not seem that long. However it was a 0 day which made this exploit special.

    1. Re:8 Days to patch by Anonymous Coward · · Score: 5, Insightful

      ProTip : If a third party can patch it faster than you, without access to the original source code - you suck.

    2. Re:8 Days to patch by croddy · · Score: 5, Insightful
      1. Release patch 8 days late
      2. Describe it as an "early" release
      3. ???
      4. Profit!!!
    3. Re:8 Days to patch by 10101001+10101001 · · Score: 2, Insightful

      >>It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.

      >Maybe it is just me, but 8 days for a tested patch does not seem that long.

      Eight days to test a patch might not be long, but if after you've tested it for 8 days you decide to delay releasing the patch for 10 more days to make it easier on consumers, then you've got to recognize that you've got a pretty major problem that a) you're patching so often that such is an issue and b) your patching mechanism is so bad it's such a hassle to apply patches.

      >However it was a 0 day which made this exploit special.

      Actually, there's a major problem with that mentality. How do you know that this exploit is special? For all you know other exploits MS is sitting on and already has a tested patch for are being exploited *right now*. Even worse, because you've deluded yourself into believing that you not hearing about an exploit from the press pre-patch release means you can apply the patch without worry that your box isn't already rooted.

      Of course, most people don't do a clean install over any patch, even if they're exploited by some program, unless it's utterly apparently necessary (ie, your computer is crashing so often you simply can't do anything). Why? Again, because it'd be such a hassle. Considering how many companies use Windows machines as front-ends to all sorts of data they probably don't want leaked out, it's amazing that Windows machines are even still accepted, regardless of how "necessary" Windows is. I guess it'll take a few high-profile cases of corporate espionage through non-press announced 0-day exploits for things to change.

      Oh, and just to make it clear, this is just as much a problem in Linux. The biggest advantages Linux and any open source OS have going for them are they can be trimmed to a very minimal set of files, which reduces the chances of containing an exploitable file let alone providing a means to exploit it. The long term answer is probably verifying software, much like how OpenBSD was auditted multiple times. If I were a company, I'd really look into OpenBSD over all OSs.

      --
      Eurohacker European paranoia, gun rights, and h
  4. It's already out.. by Anonymous Coward · · Score: 2, Insightful

    http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx

    WSUS picks it up on synch so start deploying once you've tested it internally. 5 days early? Not bad. Not great, but an official patch is always welcome. Hats of to the SANS team for applying the pressure. It's unfortunate that they were not mentioned in the Acknowlegements section of the MS06-001 release notes.

  5. Thank you, Big Brother by Gadren · · Score: 5, Insightful

    "It appeared that there had even been demonstrations to thank Big Brother for raising the chocolate ration to twenty grammes a week. And only yesterday, he reflected, it had been announced that the ration was to be reduced to twenty grammes a week. "

  6. I call bullshit by Anonymous Coward · · Score: 2, Insightful

    Somebody within M$ finally awoke to the public outcry from the sysadmins and ISC. Leaving your customers swinging in the breeze for weeks to release such a critical patch is criminal.

  7. I know, I know... by Eberlin · · Score: 3, Insightful

    Damned if they send out patches as they're made (too many, too confusing) and damned if they wait 'til Patch Tuesday (negligent, inconsiderate).

    We can't have it both ways, and neither should they. I say send out patches as they're made and let the sysadmins be responsible for whether they can keep up or not. It may be difficult to admin many machines that have to be patched but I'd rather have fixes available ASAP and put the burden on IT to apply them.

    Yeah, there are patches that will break stuff and ample testing should be done anyway...but does rolling them all into a Patch Tuesday really change that fact? Probably not.

    With this sentiment, we can put more pressure on Patch Tuesday for what it really is -- a Trustworthy Computing PR stunt in which the number of fixes and vulnerabilities seems to be lower (since we're only patching once a month...maybe).

    All that said, kudos to MS for reacting...but unkudos for taking this long...and major unkudos for being naive about the WMF design to begin with.

  8. Re:and millions of /.'ers groan... by ergo98 · · Score: 3, Insightful

    Well the funny thing is that this exploit only affects Internet Explorer as well. So basically what they are saying is

    They aren't "saying" anything. The Windows Update web app, as a requirement of the fact that it uses ActiveX, requires Internet Explorer. Nonetheless, not only is the patch rolling out right now via auto-updates, you can also download it directly.

    In any case, even though I use Firefox and Opera for my day to day browsing, I really don't feel that threatened firing up Internet Explore for the purpose of connecting to Microsoft.

  9. Early release to catch out the hackers by briqui · · Score: 3, Insightful

    Telling everyone that they are going to wait till Tuesday to patch the problem, then releasing a patch 5 days earlier might actually be quite a neat trick.

    I'm sure a lot of people out there who were planning to taking advantage of this problem have been thinking that they have till Tuesday to write a really good exploit, and therefore not hurrying too much.

    Now Microsoft come along and patch it early.

    I don't know about anyone else but I was expecting Monday do be a day from hell...

  10. The Real Reason by guaigean · · Score: 2, Insightful

    Actually they are doing this to save face. The reason it is being put out "early" is because someone else wrote a fix for it already. People apparently flowed to this other site for the patch, and people started wondering what the problem was. Here was a person who without the Windows source fixed the bug, while Microsoft itself with full access to the code was delaying. In order to save face they had to rapidly deploy it rather than sit on it as they normally do.

    --
    Microsoft Sucks, F/OSS Rocks. I get mod points now right?
  11. 3rd party did not patch vulnerability by badriram · · Score: 3, Insightful

    They just blocked the execution of the vulnerable function. This to me a mitigation method not a patch. Think of it as, there is a vulnerability in mod_rewrite within apache, and a third party "patch", just disables it, to secure apache.

  12. Re:and millions of /.'ers groan... by ergo98 · · Score: 2, Insightful

    Duh.... it's their deviation from standards that keeps making them vulnerable. ActiveX is more a security flaw than a feature and it's their choice to continue to try and force it down peoples throats thatn attempt to conform with industry/w3c standards.

    Conform with industry standards? What sort of nonsensical groupthink claptrap is that? Is there a W3C standard on updating system libraries via a webpage that Microsoft isn't conforming to? Right - no there isn't, and ActiveX exists as embedded content just like Flash, Java, and many other non-W3C technologies, as it should.

    As mentioned, though - THERE ARE TWO OTHER AVENUES FOR GETTING THE PATCH, rendering your original comment ridiculous at the outset.

  13. Re:Old Systems by VAXcat · · Score: 2, Insightful

    It they're still running Windows 95/98, it already sucked to be them...bug, patch, or no...

    --
    There is no God, and Dirac is his prophet.
  14. "testing ... completed earlier than anticipated" by antispam_ben · · Score: 4, Insightful

    Translation: "Our ass needed covering even earlier than anticipated."

    --
    Tag lost or not installed.
  15. Re:Sadly no by diersing · · Score: 2, Insightful
    There are a *lot* of companies apparently with their collective heads up their asses.

    If you are in this predicament, of supporting an NT4 environment - I feel for you, I really do. Seriously at some point avoiding the costs of upgrades is going hurt more then cutting the dang check.

    ask not for whom the bell tolls...

  16. Early? by BumpyCarrot · · Score: 2, Insightful

    Early would have been before the original flawed release, surely?

    --
    Do you see what I did there?
  17. Re:Sadly no by Tony+Hoyle · · Score: 3, Insightful

    No, they're just companies that can't spend half a million dollars upgrading hardware and software just to run the latest whizz-bang eye candy from microsoft, when what they have works just fine.

    Over 40% of our customers are NT4 shops. Some of them are *big*.

  18. "Early" was LAST WEEK by Philip+K+Dickhead · · Score: 2, Insightful

    This is "Less late".

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
  19. Re:is their face red by Kris_J · · Score: 2, Insightful

    You are confusing accountability with ability. When the ideal situation does not exist, both must be considered.

  20. Microsoft Bashing by OpenMynded · · Score: 2, Insightful
    Events like this WMF Exploit only prove two things.

    1. People like to b*tch about everything no matter how good they have it.
    2. Most of the people here would still hate Microsoft even if Bill gave up 75% of Microsoft's yearly profit to fund cancer research. You'd all whine "Why can't Billy give 90%, that evil, crooked b@stard."

    All you Billy-bashing knuckle-draggers can't even fathom the fact that if Mac OSX or RedHat were the top dog in enterprise sales and Microsoft was the undercapitalized weakling, viruses, worms, and spyware would no longer exist for the Win32 platform. Why would the hackers and script kiddies spend all time and effort trying to target only 20% of the market?

    You also don't have the mental capacity to appreciate Microsoft's innovative contributions to the IT industry, either directly or indirectly. Many of our current technologies were spurned directly from the spirit of competition against Microsoft. So MS buys someone out. Why hate MS? Why don't you hate the seller for selling out? You are all just looking for something to whine about.