Microsoft to Patch WMF Exploit Early

Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm ET, instead of Tuesday, as originally planned. Microsoft writes: "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."

Really?

[Life700MB]

Is really a problem of customer sentiment, or is actually the public embarassment of a third party releasing a patch quicker even without the source code of the libraries?


--
Superb hosting 20GB Storage, 1_TB_ bandwidth, ssh, $7.95

Re:Reactive vs Proactive

[cnettel]

For an out-in-the-wild exploit, I would agree. For one that is currently, to their knowledge, not known among the script kiddies of the world, I'm not so sure. Releasing a patch will, generally, make those who are not yet prepared to implement it more vulnerable, if it means that knowledge of details is more wide-spread.

I think that some corporate users (especially) are quite thankful for patch Tuesdays; especially those that have been bitten by some compatibility issue previously and can't just run autoupdate of all desktops at night, but rather want to roll it out manually.

Again, this is not the case here, this exploit was discovered in the wild and it's spreading right now.

It still took a long time!

[LinuxDon]

The exploit writers have had the exploit ready for quite a while now.
While MS was 'testing' everyone has been installing 'fixes' from other sites..
Even IF their patch was not 100% it wouldn't really have mattered in this case.

There was a gaping security hole in their OS and they still needed 12 days to come up with a fix!
For such a large company whose software is being used by *millions* of people worldwide and 7 billion a quarter profit, they've sure taken their sweet time!

Why don't they take some 0.01 procent of that 7 billion and test/release it sooner?

Clip Art

[scolby]

Intrigued with the broo-haha surrounding WMFs, I did a search for them on my machine. The only WMFs I found were Microsoft's clip art. Which begs the question: is there anyone out there who isn't Microsoft who commonly uses this file type?

Re:is their face red

According to http://www.grc.com/sn/notes-020.htm, Microsoft actually patched this thing on December 28th. The built and digitally-signed GDI32.DLL carries that date.

Sober is the reason IMHO

[PaxTech]

There's speculation that when sober.z goes into action tomorrow it may try to download a WMF exploit, hence the quick turnaround on the patch.

I think that by this point Microsoft is pretty much numbed when it comes to public embarrassment.

Re:early my eye

[javaxman]

It's the old "SCOTTIE" trick. They say they need until the 10th to test and patch and make sure it works and then they WOW us by being able to release it early. They had it ready before now, they are just trying to salvage what little they have out of this fiasco.

They had it ready, if by ready you mean a version had been compiled and 'tested' once on the developer's machine.

Trust me, right now in Redmond there's a whole team of Quality Assurance Engineers who are looking at their test plans, scratching their heads, and once again calling into question the actual value of their work, given that some manager can arbitrarily decide when it's time to rush a release regardless of what the schedule said or what the impact of a patch was or which cases remain un-tested. That, and they're really, really tired after pulling a couple of all-nighters.

Have fun testing that patch.

will? or did..

[mottie]

Posted by CmdrTaco on Thursday January 05, @12:56PM (3:56PM EST)

Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm EST

talk about releasing the news late.. the patch was already out by the time slashdot had the "news" that microsoft would be releasing the patch.

Re:Early release to catch out the hackers

[bogie]

"I'm sure a lot of people out there who were planning to taking advantage of this problem have been thinking that they have till Tuesday to write a really good exploit, and therefore not hurrying too much."

I don't believe that for a second. People who wanted to take advantage of this flaw had their code done with 48hrs of the public disclosure. No serious hackers we waiting till this weekend to try and catch some people. It's a race you see. The last thing they wanted was to wait a week and let Antivirus makers and consumers get wise to this and start taking precautions.

IMHO MS releasing this early is due to bad PR and massive pressure from customers. I think it had nothing to do with "tricking" crackers.

And I also want to say thanks to a "real" hacker. Running around like crazy to install that 3rd party patch probably saved me from mucho headaches. Jeers to MS to taking so freaking long.

Re:Rough translation

[sharkey]

Since when did that matter to Bill & Co.?

Re:and millions of /.'ers groan...

[deaddrunk]

Is there away for a non-privileged user to receive notifications of new updates. I only knew about this one because it was so widely publicised. I know I can just log on as super-user first when I start my machine but I'd prefer to just have the notification before I have to log on to the super-user account.