Slashdot Mirror
Microsoft to Patch WMF Exploit Early
Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm ET, instead of Tuesday, as originally planned.
Microsoft writes: "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."
Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.
It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.
Virtual Betting on Facebook for non-geeks.
Thank you for your interest in obtaining updates from our site.
To use this site, you must be running Microsoft Internet Explorer 5 or later.
To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.
How Jaded Are You?
No problem... there's plenty of other exploits for windows.
testing has been completed earlier than anticipated
Sure.
"When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
...only 10 days too late...
---
tis is not a FP
Maybe it is just me, but 8 days for a tested patch does not seem that long. However it was a 0 day which made this exploit special.
"in response to strong customer sentiment" Ie we look foolish that the community was able to fix it sooner than we were. Here you go, we're not that bad afterall, see?
Let's be friends again.
Slashdot # 199661 the number that's the same upside down and right side up
http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx
WSUS picks it up on synch so start deploying once you've tested it internally. 5 days early? Not bad. Not great, but an official patch is always welcome. Hats of to the SANS team for applying the pressure. It's unfortunate that they were not mentioned in the Acknowlegements section of the MS06-001 release notes.
They would have released it earlier, but their test machines kept getting hacked...
20 mil and I will! Learn Esperanto with 20M others.
The security update will be available at 2:00 pm PT as MS06-001. In any case, I'm glad to see Microsoft listening to customers and security advocates to release before the regular monthly patch date.
Is really a problem of customer sentiment, or is actually the public embarassment of a third party releasing a patch quicker even without the source code of the libraries?
--
Superb hosting 20GB Storage, 1_TB_ bandwidth, ssh, $7.95
Let me guess, they've added a warning message that says you're about to download or open a WMF then let's you do it anyway? It took them all week to develop because they needed to translate "OK" and "Cancel" to 47 different languages.
"It appeared that there had even been demonstrations to thank Big Brother for raising the chocolate ration to twenty grammes a week. And only yesterday, he reflected, it had been announced that the ration was to be reduced to twenty grammes a week. "
Somebody within M$ finally awoke to the public outcry from the sysadmins and ISC. Leaving your customers swinging in the breeze for weeks to release such a critical patch is criminal.
It's 4PM now, so I fixed that for you.
It's the old "SCOTTIE" trick. They say they need until the 10th to test and patch and make sure it works and then they WOW us by being able to release it early. They had it ready before now, they are just trying to salvage what little they have out of this fiasco.
Well, I guess it already is out. Guess they got their announcement mixed up.
Here's the actual link to MS's site that describes the patch: Microsoft Security Bulletin MS06-001
"When will the patch for the patch be released?" asked Fox News correspondent Bubbles McConnifer, causing the press corps to giggle like schoolgirls in heat.
"Smile when you said that, bitch," growled a visibly angered Microsoft, who then motioned to two pinstripe suited thugs who escorted Ms. McConnifer from the press conference.
"Any other questions, whores?" asked Microsoft, placing fists on hips and allowing his 'MS Certified Otakus Rule!' T-Shirt to be seen. His query was greeted by silence. "Well alright, then."
I'd like to know how many people downloaded and installed the "hacked" version(s). Any firm numbers out there? Thousands, hundreds of thousands, millions?
How to Download YouTube Videos
Our customers are getting pwn3d.
Reality is defined by the maddest person in the room
Damned if they send out patches as they're made (too many, too confusing) and damned if they wait 'til Patch Tuesday (negligent, inconsiderate).
We can't have it both ways, and neither should they. I say send out patches as they're made and let the sysadmins be responsible for whether they can keep up or not. It may be difficult to admin many machines that have to be patched but I'd rather have fixes available ASAP and put the burden on IT to apply them.
Yeah, there are patches that will break stuff and ample testing should be done anyway...but does rolling them all into a Patch Tuesday really change that fact? Probably not.
With this sentiment, we can put more pressure on Patch Tuesday for what it really is -- a Trustworthy Computing PR stunt in which the number of fixes and vulnerabilities seems to be lower (since we're only patching once a month...maybe).
All that said, kudos to MS for reacting...but unkudos for taking this long...and major unkudos for being naive about the WMF design to begin with.
The exploit writers have had the exploit ready for quite a while now.
While MS was 'testing' everyone has been installing 'fixes' from other sites..
Even IF their patch was not 100% it wouldn't really have mattered in this case.
There was a gaping security hole in their OS and they still needed 12 days to come up with a fix!
For such a large company whose software is being used by *millions* of people worldwide and 7 billion a quarter profit, they've sure taken their sweet time!
Why don't they take some 0.01 procent of that 7 billion and test/release it sooner?
... meaning all us east coast admins will be staying late tonight. Joy.
"Powers. I have them."
I had this virus on my desktop spamming it's false alerts since as early as last week. After I fonud the proper guides on how to remove it, and an arguous 5 hour sessions of reboots, safe mode runs, virus scans from 5 different programs, and constant tweaking and adjusting, I finally removed the virus on my own. Thanks Microsoft...
Intrigued with the broo-haha surrounding WMFs, I did a search for them on my machine. The only WMFs I found were Microsoft's clip art. Which begs the question: is there anyone out there who isn't Microsoft who commonly uses this file type?
In other news, Microsoft bought out the company that originally patched the flaw. ;)
-Chris
Time IQ - Web Based Time Tracking
You're right! That's because nobody could figure out how to patch their machines int he first place!
.... 'click on the update icon and wait'...
Er - have you used a mainstream linux desktop distro recently? It is like
Telling everyone that they are going to wait till Tuesday to patch the problem, then releasing a patch 5 days earlier might actually be quite a neat trick.
I'm sure a lot of people out there who were planning to taking advantage of this problem have been thinking that they have till Tuesday to write a really good exploit, and therefore not hurrying too much.
Now Microsoft come along and patch it early.
I don't know about anyone else but I was expecting Monday do be a day from hell...
Same here. The previous hotfix is uninstallable, but I'm wondering who I trust more. Microsoft or an IDS expert.. Decisions.. decisions.
Does this mean I can't have an image file that creates bouncing pictures hopping around on my screen with some guy screaming that I am looking at gay porno?
srsly, fuck u miKKKro$haft
Actually they are doing this to save face. The reason it is being put out "early" is because someone else wrote a fix for it already. People apparently flowed to this other site for the patch, and people started wondering what the problem was. Here was a person who without the Windows source fixed the bug, while Microsoft itself with full access to the code was delaying. In order to save face they had to rapidly deploy it rather than sit on it as they normally do.
Microsoft Sucks, F/OSS Rocks. I get mod points now right?
I'm only getting hits on 2000, XP, and 2003: According to the Financial Times article highlighted at Drudge, Hyppönen said the vulnerability is supposed to hit "every Windows operating system since 1990".
So is there a patch for older versions of Windows?
I think that by this point Microsoft is pretty much numbed when it comes to public embarrassment.
All movements for social change begin as missions, evolve into businesses, and end up as rackets.
Funny, yes, but not true. The patch is available here:
http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx
Just downloaded it with Firefox. It's just Windows Update that requires IE.
They just blocked the execution of the vulnerable function. This to me a mitigation method not a patch. Think of it as, there is a vulnerability in mod_rewrite within apache, and a third party "patch", just disables it, to secure apache.
The ISC has clear instructions on how to remove the unofficial patch, although it apparently co-exists ok with Microsoft's patch.
This wouldn't have anything to do with the fact that the fix got leaked early, would it?
http://grc.com/sn/notes-020.htm
Insert Sig Here
The problem MS has with their patching strategy is that problems are not one size fits all. There are things in various parts of Windows and other MS products that are low priority to update and will not be happy if I have to push out something out of cycle. On the other hand, there are very serious critical flaws that are very high priority that I would like to have immediately and would push out to every machine I could find immediately.
All problems are not the same quality or severity so why is MS trying to treat them as such?
Boy, all those guys running web servers under DOS 5 must be pissing their pants!
The world's burning. Moped Jesus spotted on I50. Details at 11.
Use the exploit to their advantage? Just change their logo to a WMF and use the exploit to push the patch out?
Prove it.
Somehow I would have liked this to not come out until then, esp. since so many companies refused to install anything non-MS.
I did install the patch on my networks, and now I feel like my time was wasted and the stubborn people won.
I guess next time I go with the lazy people.
Here is the FAQ from the KB
-----
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) were previously listed as affected, but are no longer listed. Why is that?
Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates. For more information about the security update support policy for these versions of Windows, visit the following Web site.
-----
Although I do believe they should be patching this.
Posted by CmdrTaco on Thursday January 05, @12:56PM (3:56PM EST)
.WMF-exploit today at 2pm EST
Chran writes "Microsoft has just announced that they will release a security update for the
talk about releasing the news late.. the patch was already out by the time slashdot had the "news" that microsoft would be releasing the patch.
Obviously they looked at how he fixed it, snarfed it, and now we will see how 'MS innovation' spin produces a hotfix in record time.
It they're still running Windows 95/98, it already sucked to be them...bug, patch, or no...
There is no God, and Dirac is his prophet.
They would have released it earlier, but their test machines kept getting hacked...
I heard it was because they were having a tough time to come up with the $40 a computer needed to aquire the software to distribute in the patch.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
So all of you out there with WMFs with SETABORTPROCs in your META_ESCAPE records, beware!
(Not sure what I just said.)
His wife could not be reached to comment on this!
***rimshot***
Thanks folks! I'll be here all week. Don't forget to tip the wait staff.
Translation: "Our ass needed covering even earlier than anticipated."
Tag lost or not installed.
By your logic, Microsoft also has not patched the vulnerability. From the MS006-001 FAQ:
So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.
Causation can cause correlation
Great you have done a Case study on me..
SO Now EVERYONE know what i'm running and what i may or may not be Vulnerable to.
I wouldn't doubt that Xerox and rest called MS and Blew their top.
Not to mention you can just goto http://www.microsoft.com/resources/casestudies/ for a list of targets
We are a smaller shop we have about 100 desktop/servers. I called and voice my oponion in a calm and Firm fashion. I guess ALOT of others did as well.
I'm conviced that it should hit every version of Windows. I have been embedding wfm for my thesis and proposals win 1998. I had lots of memory problems using either Word or Word Perfect to open those documents. Even with only a few wmfs embedded in Excel, or other third party applications (that were obviously using windows API to render them). Then I switched to StarOffice and the problem vanished... for me. My supervisor, with a much more powerful computer still had trouble. I guessed at the time that it was some kind of memory leak in the Windows rendering engine, and since StarOffice was cross-platform, they were probably using their own code to render it, and not the API. Back then I only thought how nice it was to be using StarOffice instead of constantly rebooting the computer and getting nothing done. I never thought back then that memory leak could mean buffer overflow which could mean security vulnerability. I have the feeling that it's related. Of course I'm not a computer guy. Obviously the bugs were never fixed from version to version, and I can't believe I'm the only one who noticed that wmf files, which are not supposed to take that much memory compared to raster images could turn into such a nightmare. My supervisor's Word still renders horribly wmf files that show very nicely in OpenOffice. To this day I still include my graphs as raster images for his sake.
I like my dinosaurs feathery, and my pterosaurs hairy (or is it pycnofibery?)
The real reason MS posted the patch is shut ya' all up and stop the blogsteria from continually feeding the tech media frenzy. My place of employment (30,000 users) has not had any problems with exploit, At my daughters place of employment (180,000 users all over the world) IT reports no problems with the exploit.
But I want to thank you all for wonderful week of waiting for the sky to fall!
"Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?n /MS06-001.mspx
No. Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions."
from
http://www.microsoft.com/technet/security/Bulleti
Oooooooh boy, I feel for those folks that have older machines... they're basically fucked. MS doesn't even call this "critical".
...Rob
The American Dream isn't an SUV and a house in the suburbs; it's Don't Tread On Me.
Early would have been before the original flawed release, surely?
Do you see what I did there?
Of course, if Linux became the mainstream desktop OS, this would be a non-issue.
You're right! That's because nobody could figure out how to patch their machines int he first place!
Thats how it works in XP, and what percentage of XP users can patch their machines
The - final? - twist in the long, strange trip of the WMF bug - the vulnerability that just keeps on giving - has been revealed by H D Moore, the author of the Metasploit exploits (which is now on a third generation and even tricksier than ever!:)
After all the jokes about WINE compatibility... it turns out that WINE is vulnerable, too!!
To quote the words of a song by H D's namesake, Dudley:
(And I'm posting from a Thinkpad running Mandriva GNU/Linux, the first time I've been 100% Billy free at work as well as at home since 2000, so I'm allowed to laugh... no WINE for me cos I only run Free software *smug* :)
Where are the patches for Win 98, Win 98 SE, and Win 98 ME? Microsoft rates this as a critical exploit and is supposed to release patches for critical exploits so where are they? Millions of people still use these operating systems.
-- SKYKING, SKYKING, DO NOT ANSWER.
I never thought back then that memory leak could mean buffer overflow which could mean security vulnerability
In this case, its not a buffer overflow bug. In fact, its not even a bug, per say. Its a feature, or at least a really bad design flaw that no one has stumbled upon/abused up until now. See F-Secure's writeup.
#include <signature.h>
Believe it or not Dos is still run in production. I know. I have dos machines on my network.
Charles Wyble System Engineer
Patching a few hundred servers is not how i wanted to spend my evening.
---- Booth was a patriot ----
I would rather have them release it as soon as it is ready. Even if it is done in steps.
Step 1) Release a fix that will close the security leak 100%, even if it means some things will not work anymore
Step 2) get a relase that fixes everything so everything works as it should.
Step 1 can be done in hours. Step 2 then has much less presure. It can be released when ready.
I can't understand how you can put a date and even less a time on a security patch. What if they are ready earlier? What if they are not ready at all?
Don't fight for your country, if your country does not fight for you.
I'd bet that 2000 SP4, XP Professional, and 2003 Server hardly took any time at all to prepare.
The x-64 2003 server and x-64 XP PRO probably required a bit more preparation and testing.
But someone in our party just had to order the 2003 Itanium-based product and make us all wait!
Ilfak's unofficial patch did not require a re-boot. Microsoft's does. Supposedly both patches do exactly the same thing.
Unless they're including a time machine in the patch, I would call this release "late".
Microsoft's policy is that they will only release critical patches for 9X/ME systems because they have EOLed them. Their study of the vulnerability found that while those systems are vulnerable, that it is not critical because no attack vector has been identified. Whether or not you trust their assessment is another question, but that's why there's no patch for them. See questions 2, 3, and 4 in the FAQ.
n /MS06-001.mspx
http://www.microsoft.com/technet/security/Bulleti
I suspect 3.x is the same, but really, if you're using 3.10 as a desktop...
Ilfak's patch required a reboot to start applying to new processes, rtffaq.
I couldn't seem to find it.. is Microsoft doing a standalone distributable update (like for the flaw that took out some news networks) for large amounts of computers? A link would be helpful if someone had it.
space is pretty cool.
This is "Less late".
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
As an update to the story, Microsoft has announced that the patch release was a hoax.
Hackers were supposedly able to infiltrate Microsoft systems after Bill Gates viewed an email in Outlook containing a WMF file diguised as a GIF. Other reports say Gates visited a site containing the compromised file while using IE.
Bill Gates had this to say: "That's a lie. Everyone knows that I'm too smart to use IE or Outlook. Do I look like a retard to you?"
Microsoft claimed that they had no intention of releasing a patch early, especially a working one.
From the press release:
We at Microsoft have specific guidelines to prevent this sort of thing from happening. A Windows platform that works perfectly would damage the booming IT industry. Microsoft is dedicated to providing a safe haven for up and coming sys admins and tech support specialists
When asked about their aborted plans for the security fix, the PR spokesman replied, "This vulnerability has been fixed in Vista. Had the hackers not maliciously spread this patch, users could have oficially fixed it by shelling out $1,000 for Vista when it is released."
In a final press release of the day, Microsoft has discovered a new vulnerability:
It has been discovered by a team of experts at Microsoft that all Windows machines will explode violently the day after Vista is released. This problem does not exist in Vista, however. Becuase no known exploits exist for the vulnerability, the status is set at Super-Cute-Pink-Bunny-Harmless. Since it has such a low status, a patch should not be expected until a month after Vista has been released.
If this signature is witty enough, maybe somebody will like me.
Anyone who uses Cross-Over Office, Cedega, or plain old Wine (all 10 of you) -- your system is vulnerable to the recent WMF exploit. Loading an office document in Cross-Over that has an embedded WMF file will execute arbitrary code on your system. Gamers -- any games that display user-defined graphics (avatars, etc) and accept the WMF/EMF formats, could be exploitable. A patch was submitted to the Wine development team, but it may not be available for a while (especially if you use a commercial derivative). Please see the following URL for more information:s ure/2006-01/0173.html
http://archives.neohapsis.com/archives/fulldisclo
Actually, we still have a number of old legacy apps for some specialized hardware that we're still using DOS software for. Fortunately, all but one will run in a DOS session under Windows. I actually still see quite a lot of DOS software out there, particularly with Point of Sale systems and the like.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Yeah, there is no way to "exploit" anything on those versions...
lucm, indeed.
-------
Userfriendly? Sure it is, unless you aren't computerfriendly!
/me to a classmate on FreeBSD
There are people who use ME that care about their OS enough to patch it?
There are people who use ME that care about their OS?
There are people who use ME?
I'm confused.
If this signature is witty enough, maybe somebody will like me.
So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.
The MS patch removes the call in the WMF rendering engine that calls the gdi32 Escape() function with the SETABORTPROC parameter. The 3rd party runtime patch thats been around 'for a week' killed the Escape() function's ability to receive the SETABORTPROC procedure in _all user32.dll bound applications_ called by _anything_ for _any purpose_, 'breaking' more than just the WMF rendering caller.
Microsoft couldn't have done any better because this wasn't a coding error like a buffer overflow, it was an ancient long forgotten genuine feature.
Add/Remove Programs -> Remove the unofficial hotfix first and then reboot, this'll totally clear the unofficial hotfix from memory (it's a runtime patch not an on disk fix).
THEN install the official patch.
"If Microsoft Doesn't Fix Windows 98/ME, GRC will. Microsoft has "reclassified" the WMF vulnerability in Windows 95, 98, and ME as non-critical. This means that it will probably NOT be updated and patched for the WMF handling vulnerability that those older versions of Windows apparently have."
So, if Microsoft does not produce an update to repair those older versions of Windows, GRC (Steve Gibson) will make one available.
Source: http://www.grc.com/sn/notes-020.htm
- I just think that maybe in near future patches for Windows from outside Microsoft will became more common...
-xet7
Not true; see http://it.slashdot.org/comments.pl?sid=173098&cid= 14405082
You laugh but i recently dug up 14 floppies of the original Windows 95 release, thats pre-SP1 (which was only released months later). It totals 21mB's and i'm tempted to install it for fun.
The IE5 SP2 package (weighing in at 84.4mB it was the version of IE before IE6) still gets Windows 95 users access to windows update I believe, just no water running in them pipes now.
Or so we have to assume. A real blackhat isn't going to advertise his source of income so that patching makes his goldmine obsolete. The fact that we only see dumb, recycled exploits over and over again may very well be caused by an evolutionary proces. (Nice, huh, how I can get an ID remark even into a Microsoft topic?
What I'm saying is: there is a very real possibility that this exploitable bug/feature has already been used to enter your network. To rob you blind, change that one number in a CAD-assisted engineering plan for that new super-structure/nuclear reactor, kill that one patient, who will tell?
The rest of the story I'll leave to your imagination, lest I be accused of bashing.
Has anyone else noticed a delay when saving a file in the GIMP after applying the patch?
I'd rather have someone respond than be modded up.
that the unregister workaround only cut off some of the nastier attack vectors but not nessacerally all of them.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
CONSPIRACY THEORY: This is how they will finally get everyone to upgrade, from fear. But I will continue to use my WIN98SE box, running my favorite PCB CAD program.
Insanity: doing the same thing over and over again and expecting different results. Albert Einstein
A remote code execution security issue has been identified in the Graphics Rendering Engine that could allow an attacker to remotely compromise your [Windows computer].
I mean, what's next? Opening a mis-formed text file with Notepad gives an attacker root access?
But I think the more serious problem is that MS doesn't release patches when they're ready, except in cases when it's very serious (like this). What if this had happened a week from now, but wasn't discovered for yet another week or something? Would they still release early? End-of-life schedules also present problems, with older releases often being affected by new vulns but not being patched.
I'm pretty sure that IE 5.0 for Windows 3.1 can.
Whenever I hear the word 'Innovation', I reach for my pistol.
Windows 3.0 was the last release with 8088 hardware support, you insensitive clod.
Why? I have an older computer. Win 98 SE does everything I need just fine. Why do I want to buy a new computer just so I can pay Microsoft for a newer operating system that I don't need?
-- SKYKING, SKYKING, DO NOT ANSWER.
Microsoft didn't mean for this to be released this week.
+ WMF+patch/2100-1002_3-6018263.html?part=rss&tag=60 18263&subj=news
http://news.com.com/Microsoft+inadvertently+leaks
I noticed the little shield icon so started clicking to install the patch. When it was done, it told me that I should reboot, so I did. I wasn't paying attention when the computer came back on, so it went into the default OS. So now, I'm happily typing away in Linux. Which reminds me that I need to change the default OS back to Windows before my wife notices.
1. People like to b*tch about everything no matter how good they have it.
2. Most of the people here would still hate Microsoft even if Bill gave up 75% of Microsoft's yearly profit to fund cancer research. You'd all whine "Why can't Billy give 90%, that evil, crooked b@stard."
All you Billy-bashing knuckle-draggers can't even fathom the fact that if Mac OSX or RedHat were the top dog in enterprise sales and Microsoft was the undercapitalized weakling, viruses, worms, and spyware would no longer exist for the Win32 platform. Why would the hackers and script kiddies spend all time and effort trying to target only 20% of the market?
You also don't have the mental capacity to appreciate Microsoft's innovative contributions to the IT industry, either directly or indirectly. Many of our current technologies were spurned directly from the spirit of competition against Microsoft. So MS buys someone out. Why hate MS? Why don't you hate the seller for selling out? You are all just looking for something to whine about.
Oh and if you claim the they are really engineers then that is good. We should be able to find the person that signed of on this wmf code and promote him to head of software development at MS.
Cause lets face it, nobody has even been fired for putting bugs in MS software.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Yes this was also in another post, but here you go:n /MS06-001.mspx
http://www.microsoft.com/technet/security/Bulleti
I was able to download the XP and 2000 patches just fine with Firefox from that link.
You should look up the word "spurned". I think that the word you want might be "spawned". At any rate cowboy "spurned" has got nothing to do with spurs.
How many beans make five, anyhow ?
Thank you for your interest in obtaining updates from our site.
..... I use firefox so I don't have to use their crap any more than I have to, but I have to use their crap in order to fix another piece of their crap .....
To use this site, you must be running Microsoft Internet Explorer 5 or later.
To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.
How bloody typical
Has anyone else noticed that after installing the "WMF Patch" you now have a "My Websites on MSN" site in your "My Network Places" and that Firefox v1.0.7 now hangs on load? That's a good way to win the browser war. Great job Microsoft!
word and write files can host and render WMF files internally. the fact that nobody has written a file that uses that as an attack vector doesnt mean that it isnt possible, only that there is such an easy (and consistent) route to owning winxp that nobody has bothered with the older systems yet.
:)
After all, if you are a bot author, would you rather build and test for winXP or support legacy Win98 boxes with their weaker networking stack, device driver problems, etc. Think of all the support calls
Liar! It's much more complicated than that. It's 'click on the update menu item, type the root password, click install all, and wait'.
Hah! Got you there! Not if you are already root!
Wow. I'd say it's not a feature, or a design flaw, it's actually a designed in back door to execute arbitrary code contained within the WMF object.
It proves the point so many of us have observed: Friends don't let friends put Windows on networks. Its 'trust everything' design should have been revisited at the same time as MS built their first network stack.
Justin.
You're only jealous cos the little penguins are talking to me.
Yes, chawley. Thank you for pointing that out. Now let's see if people can get past one inappropriately used word and focus on the point of the comment.
To paraphrase:
Except that your car is so old it doesn't really have keys or anti-theft protection, so criminals keep taking it and using it to try to run other people off the road, litter the streets with spam, or create traffic jams of old beaters tying up the interstate so no one else can use it (DOS attack). It's so old that it's just not safe any more, and should not be allowed on public roadways.
Besides, car prices have changed. That new car costs about half of what your old monitor did way back when... ;)
I do not fail; I succeed at finding out what does not work.
Oh but I did, my dear good sir, I quite got your point (just had to open my mind a bit) thought I'd point out the mistake, though. Must admit I thought it was a cowboy getting a bit carried away. For the record, I quite agree with you - but I did think that the mistake would cause a smile. Worth underlining it for the smile, I thought. Didn't mean to bother anybody. Mes excuses.
How many beans make five, anyhow ?
> but really, if you're using 3.10 as a desktop...
No, you see, I never upgraded to 3.1, because it requires a 386 CPU...
Cut that out, or I will ship you to Norilsk in a box.
Since my computer is running MS-Windows 95 (when it runs MS-Windows), it's safe.
Those who sacrifice security to condemn liberty deserve to repeat history or something. - Benjamin Santayana
Ooops, sorry. I was reading non-threaded.
No, you see, I never upgraded to 3.1, because it requires a 386 CPU...
That's not true. Windows 3.1 runs happily on a 286 provided you have enough ram. You just don't get the benefits of "386 Enhanced Mode".
Yes, it does. My Win 98 SE box is behind a stout hardware Linux firewall that has a shitload of ports blocked off. The Win box itself has a software firewall, grisoft avg, and several malware/spyware removers. I simply won't run a Windows box on an external IP address, no matter what version of the operating system. I just don't trust Microsoft. I also have a Win 2K Pro box btw and I take the same precautions with it.
-- SKYKING, SKYKING, DO NOT ANSWER.
You can log in to Yahoo webmail for the first 8 hours of a major outbreak
and still download known=bad attachments.
Hotmail webmail currently blocks 49 file extensions, but WMF is allowed.
And last time I looked, Norton's 7.x and 8.x Corporate clients show new
DATs available once a week on Wednesdays only after 5pm EST. Hell,
Symantec had to get their own house in order last week (RAR) anyway.
And yes, I have a 1995 Jeep Wranger. It gets me around town. I don't want to buy a new Jeep because the stuff being put out today by Chrysler sucks. I've added anti-theft protection to my 1995 Wrangler. I keep it in tip top mechanical condition so it's safe. And a new jeep costs a shitload more than what I paid for my Jeep in 1995.
-- SKYKING, SKYKING, DO NOT ANSWER.