Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Patch WMF Exploit Early

Posted by CmdrTaco on from the well-i-guess-early-is-relative dept.

Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm ET, instead of Tuesday, as originally planned. Microsoft writes: "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."

77 of 306 comments (clear)

  1. Reactive vs Proactive by biocute · · Score: 5, Insightful

    Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.

    It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.

    --
    Virtual Betting on Facebook for non-geeks.
    1. Re:Reactive vs Proactive by Anonymous Coward · · Score: 5, Informative

      Patch has been released.
      Get it here http://www.microsoft.com/technet/security/Bulletin /ms06-001.mspx

      According to the folks at F-secure, it co-exists well with Ilfak's unofficial patch as well as the REGSVR32 workaround. Read their blog here. http://www.f-secure.com/weblog/archives/archive-01 2006.html#00000771

    2. Re:Reactive vs Proactive by cnettel · · Score: 5, Interesting
      For an out-in-the-wild exploit, I would agree. For one that is currently, to their knowledge, not known among the script kiddies of the world, I'm not so sure. Releasing a patch will, generally, make those who are not yet prepared to implement it more vulnerable, if it means that knowledge of details is more wide-spread.

      I think that some corporate users (especially) are quite thankful for patch Tuesdays; especially those that have been bitten by some compatibility issue previously and can't just run autoupdate of all desktops at night, but rather want to roll it out manually.

      Again, this is not the case here, this exploit was discovered in the wild and it's spreading right now.

    3. Re:Reactive vs Proactive by targo · · Score: 3, Insightful

      It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.

      This doesn't make any sense. All patch release dates are a function of:
      1) impact of the problem
      2) complexity of required testing
      The idea being that the patch shouldn't cause more harm than the original flaw.
      If the impact is huge, testing of more obscure cases can be deferred somewhat. If the impact is small, more time can be taken.
      So if there hadn't been any customer sentiment (i.e. no one cared), it would make no sense to rush the patch and risk breaking something.

      --
      When men used to be men
    4. Re:Reactive vs Proactive by grcumb · · Score: 4, Insightful

      "If the impact is huge, testing of more obscure cases can be deferred somewhat. If the impact is small, more time can be taken."

      I'm with you so far....

      "So if there hadn't been any customer sentiment (i.e. no one cared), it would make no sense to rush the patch and risk breaking something."

      Err, that's a non-sequitur. Whether customers care or not has nothing to do with the cost/benefit analysis that decides the timing and scope of an initial patch. A software company should never rely on its customers to perform risk analysis. If it's serious (and the WMF flaw is egregiously so), then you find a way to protect your customers as quickly and effectively as you can. In some cases - though certainly not all - you can even accept shortcomings in the patch itself if significantly reduces the risk.

      The third-party patch, for example, causes issues with the Windows printing subsystem. People voiced suspicions that this might be the case right from the start, though confirmation only came through earlier today. To my mind, that was an acceptable risk. A server that can't perform some print tasks and won't show pretty preview icons is worth a heck of a lot more to me than one that's 0wned by some random script kiddy.

      And before some astroturfing twit spouts the simplistic, binary logic of 'MS is damned if they do and damned if they don't', I'd like to say from experience that deciding the timing of a security patch is a terribly difficult process. It requires the right amount of analytical skill, deep technical expertise, a healthy dose of horse sense and exactly the right measure of patience. Too much or too little of any of these can result in exactly the wrong kind of response.

      Patching is not about being a nice guy. It's not about what your customers think of you. There should be no marketing or sales angle in the creation or timing of a security patch. You determine the scope and severity of the threat, be as thorough as you can reasonably hope to be (and that's never as thorough as you'd like), and deliver it as soon as you reasonably can.

      I'm in complete agreement with this handler's diary from isc.sans.org concerning Microsoft's announcement that they would issue the patch at the regularly scheduled time. Given the severity of the flaw, it's unconscionable that they should leave their customers exposed for so long. The fact that they only decided to release the patch out of cycle in response to their users demonstrates that they're far more worried about their image than they are about their software. This does not bode well at all for them. Or for their customers, for that matter.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    5. Re:Reactive vs Proactive by jatemack · · Score: 2, Informative

      it co-exists well with Ilfak's unofficial patch as well as the REGSVR32 workaround.

      And if you did the REGSVR32 workaround, you can now get back the functionality of Windows Picture and Fax viewer.
      Click Start, Run, Type "regsvr32 %windir%\system32\shimgvw.dll" (without the quotation marks) then OK.

      This info was kind of buried here.

      --
      // no
  2. and millions of /.'ers groan... by B00yah · · Score: 5, Funny

    Thank you for your interest in obtaining updates from our site.

    To use this site, you must be running Microsoft Internet Explorer 5 or later.

    To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.

    --

    How Jaded Are You?
    1. Re:and millions of /.'ers groan... by ergo98 · · Score: 3, Insightful

      Well the funny thing is that this exploit only affects Internet Explorer as well. So basically what they are saying is

      They aren't "saying" anything. The Windows Update web app, as a requirement of the fact that it uses ActiveX, requires Internet Explorer. Nonetheless, not only is the patch rolling out right now via auto-updates, you can also download it directly.

      In any case, even though I use Firefox and Opera for my day to day browsing, I really don't feel that threatened firing up Internet Explore for the purpose of connecting to Microsoft.

    2. Re:and millions of /.'ers groan... by SirDaShadow · · Score: 2, Informative

      go get the IEtab extension for Firefox and whitelist update.microsoft.com to use the IE engine instead of the gecko engine and viola...

    3. Re:and millions of /.'ers groan... by ergo98 · · Score: 2, Insightful

      Duh.... it's their deviation from standards that keeps making them vulnerable. ActiveX is more a security flaw than a feature and it's their choice to continue to try and force it down peoples throats thatn attempt to conform with industry/w3c standards.

      Conform with industry standards? What sort of nonsensical groupthink claptrap is that? Is there a W3C standard on updating system libraries via a webpage that Microsoft isn't conforming to? Right - no there isn't, and ActiveX exists as embedded content just like Flash, Java, and many other non-W3C technologies, as it should.

      As mentioned, though - THERE ARE TWO OTHER AVENUES FOR GETTING THE PATCH, rendering your original comment ridiculous at the outset.

    4. Re:and millions of /.'ers groan... by l1_wulf · · Score: 4, Informative

      Actually, the only reason IE is vulnerable but FF & Opera is not, is because the other big name browsers associate WMF files with Media Player instead of Picture and Fax viewer. WMP does nothing with WMF files, therefore nothing happens when exposed to the vulnerability. On the other hand, should the offending graphic actually get on your hard drive and you use Google Desktop, you will be vulnerable due to the indexing done immediately after download (obviously, if you have indexing turned off for graphics, this won't happen).

    5. Re:and millions of /.'ers groan... by TuneShark · · Score: 2, Informative

      I went here for using firefox, followed a few links, and was allowed to download and install the patch:

      http://www.microsoft.com/technet/security/Bulletin /ms06-001.mspx

    6. Re:and millions of /.'ers groan... by cnettel · · Score: 4, Informative

      I'm not so sure about that. Yes, some picture loading libraries provided in Windows will do this. No, LoadBitmap won't (it's not a bitmap!). IIRC, Firefox doesn't use the same high-level libraries, as they are rolling their own code on all platforms. So, no, it won't happen. You can easily try this if you have a valid WMF file lying around. Rename it to JPG and open in FF. It won't render, complaining about an invalid header. Rename a valid PNG to JPG or a valid JPG to PNG, though, and it renders just fine. Firefox does auto-detection of image type, but not autodetection of WMF.

    7. Re:and millions of /.'ers groan... by deaddrunk · · Score: 2, Interesting

      Is there away for a non-privileged user to receive notifications of new updates. I only knew about this one because it was so widely publicised. I know I can just log on as super-user first when I start my machine but I'd prefer to just have the notification before I have to log on to the super-user account.

      --
      Does a Christian soccer team even need a goalkeeper?
  3. Feh ! by witte · · Score: 5, Funny

    No problem... there's plenty of other exploits for windows.

  4. whatever by TheRealMindChild · · Score: 3, Funny

    testing has been completed earlier than anticipated

    Sure.

    --

    "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
  5. Splendid... by Hymer · · Score: 4, Insightful

    ...only 10 days too late...
    ---
    tis is not a FP

  6. 3rd person by kennygraham · · Score: 5, Funny
    Microsoft writes: "Microsoft originally planned...
    kennygraham is glad that they're patching it early.
  7. 8 Days to patch by badriram · · Score: 3, Insightful

    Maybe it is just me, but 8 days for a tested patch does not seem that long. However it was a 0 day which made this exploit special.

    1. Re:8 Days to patch by Anonymous Coward · · Score: 5, Insightful

      ProTip : If a third party can patch it faster than you, without access to the original source code - you suck.

    2. Re:8 Days to patch by MatD · · Score: 5, Funny
      I'm a third party, and I can patch it right now without even touching the code. Just beat your hard drive with a hammer, and you will be immune to the exploit.

      I have no idea what the side effects of this will be for your other applications (because I didn't do any regression testing), but I'm not MS, so I don't really care. Mat

      --
      Since when did operating systems become a religion?
    3. Re:8 Days to patch by croddy · · Score: 5, Insightful
      1. Release patch 8 days late
      2. Describe it as an "early" release
      3. ???
      4. Profit!!!
    4. Re:8 Days to patch by flynt · · Score: 2, Informative

      The third party patch didn't actually (AFAIK) patch the file in the operating system. It simply blocked the calling of the Escape() function, which broke printing on several machines and programs. So while a decent workaround for this week, it really isn't a long term solution. I got this information from SANS' ISC.

    5. Re:8 Days to patch by TubeSteak · · Score: 4, Funny

      Your method sounds pretty easy.

      Do I have to reboot afterwards?

      --
      [Fuck Beta]
      o0t!
    6. Re:8 Days to patch by 10101001+10101001 · · Score: 2, Insightful

      >>It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.

      >Maybe it is just me, but 8 days for a tested patch does not seem that long.

      Eight days to test a patch might not be long, but if after you've tested it for 8 days you decide to delay releasing the patch for 10 more days to make it easier on consumers, then you've got to recognize that you've got a pretty major problem that a) you're patching so often that such is an issue and b) your patching mechanism is so bad it's such a hassle to apply patches.

      >However it was a 0 day which made this exploit special.

      Actually, there's a major problem with that mentality. How do you know that this exploit is special? For all you know other exploits MS is sitting on and already has a tested patch for are being exploited *right now*. Even worse, because you've deluded yourself into believing that you not hearing about an exploit from the press pre-patch release means you can apply the patch without worry that your box isn't already rooted.

      Of course, most people don't do a clean install over any patch, even if they're exploited by some program, unless it's utterly apparently necessary (ie, your computer is crashing so often you simply can't do anything). Why? Again, because it'd be such a hassle. Considering how many companies use Windows machines as front-ends to all sorts of data they probably don't want leaked out, it's amazing that Windows machines are even still accepted, regardless of how "necessary" Windows is. I guess it'll take a few high-profile cases of corporate espionage through non-press announced 0-day exploits for things to change.

      Oh, and just to make it clear, this is just as much a problem in Linux. The biggest advantages Linux and any open source OS have going for them are they can be trimmed to a very minimal set of files, which reduces the chances of containing an exploitable file let alone providing a means to exploit it. The long term answer is probably verifying software, much like how OpenBSD was auditted multiple times. If I were a company, I'd really look into OpenBSD over all OSs.

      --
      Eurohacker European paranoia, gun rights, and h
    7. Re:8 Days to patch by eyeye · · Score: 2, Informative

      If it were Firefox, you'd be praising them for releasing a patch so fast. And you'd be downloading 16 megabytes just to patch one little obscure feature

      Why would you download Firefox three times?
      --
      Bush and Blair ate my sig!
  8. is their face red by zietlow · · Score: 5, Funny

    "in response to strong customer sentiment" Ie we look foolish that the community was able to fix it sooner than we were. Here you go, we're not that bad afterall, see?

    Let's be friends again.

    --
    Slashdot # 199661 the number that's the same upside down and right side up
    1. Re:is their face red by Sheepdot · · Score: 2, Informative

      Regarding the third-party patch...

      I simply unregistered the dll file on both work and home XP computers, but not the others I help supervise. The folks that are concerned about hackers "re-registering" it are working with the assumption that there is either another 0-day exploit out there that allows the hackers to do that, or don't understand how the vulnerability works. Also, the need for a patch on Windows 98, NT, or 2K is non-existant.

      I honestly think relying on a third-party to patch a system is ridiculous. Someone could tell me there is absolutely no ill-intent on behalf of the person releasing the particular patch, and even tell me exactly what the patch does. I still wouldn't implement it. The reason, of course, is because in five years, Microsoft will still be Microsoft, whereas Ilfak Guilfanov might disappear or ignore requests for help. Who knows if he'll even be contactable?

      Also, FYI, this specific "patch" he created hides windows functionality on a kernel level. There are other pieces of software that use this same kind of methodology: rootkits. While this could be considered a white-hat rootkit, it's just not a legitimate fix for the real problem. Unregistering the dll was the best solution for security nuts.

      Accountability is a very important factor. Microsoft might be taking a gamble on not releasing an insta-patch that breaks (what amounts to being) unused functionality at the cost of security, but that is their perrogative. Home consumers, and their other clients, get to be the judge on whether or not they are doing the right thing. By releasing this patch early, I think they've quelled some corporate concerns.

    2. Re:is their face red by Kris_J · · Score: 2, Insightful

      You are confusing accountability with ability. When the ideal situation does not exist, both must be considered.

  9. It's already out.. by Anonymous Coward · · Score: 2, Insightful

    http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx

    WSUS picks it up on synch so start deploying once you've tested it internally. 5 days early? Not bad. Not great, but an official patch is always welcome. Hats of to the SANS team for applying the pressure. It's unfortunate that they were not mentioned in the Acknowlegements section of the MS06-001 release notes.

  10. So early? by flicken · · Score: 4, Funny

    They would have released it earlier, but their test machines kept getting hacked...

    --
    20 mil and I will! Learn Esperanto with 20M others.
  11. Really? by Life700MB · · Score: 2, Interesting


    Is really a problem of customer sentiment, or is actually the public embarassment of a third party releasing a patch quicker even without the source code of the libraries?


    --
    Superb hosting 20GB Storage, 1_TB_ bandwidth, ssh, $7.95

  12. What the MS patch does by Anonymous Coward · · Score: 2, Funny

    Let me guess, they've added a warning message that says you're about to download or open a WMF then let's you do it anyway? It took them all week to develop because they needed to translate "OK" and "Cancel" to 47 different languages.

  13. Thank you, Big Brother by Gadren · · Score: 5, Insightful

    "It appeared that there had even been demonstrations to thank Big Brother for raising the chocolate ration to twenty grammes a week. And only yesterday, he reflected, it had been announced that the ration was to be reduced to twenty grammes a week. "

  14. I call bullshit by Anonymous Coward · · Score: 2, Insightful

    Somebody within M$ finally awoke to the public outcry from the sysadmins and ISC. Leaving your customers swinging in the breeze for weeks to release such a critical patch is criminal.

  15. MS Gets Up Early To Issue Patch! by Quiet_Desperation · · Score: 5, Funny
    "I usually sleep in to a reasonable hour for a Thursday, like, noon," said Microsoft, appearing at 8am at a press conference outside a Hardee's in Iowa, dressed in slippers and a blue bathrobe with the words 'Sexy Grandpa' emblazoned on the back. "But all you whiiiiiiiiners wouldn't let me get my rest. So I'll crank this thing out and have it on Windows Update by 11am."

    "When will the patch for the patch be released?" asked Fox News correspondent Bubbles McConnifer, causing the press corps to giggle like schoolgirls in heat.

    "Smile when you said that, bitch," growled a visibly angered Microsoft, who then motioned to two pinstripe suited thugs who escorted Ms. McConnifer from the press conference.

    "Any other questions, whores?" asked Microsoft, placing fists on hips and allowing his 'MS Certified Otakus Rule!' T-Shirt to be seen. His query was greeted by silence. "Well alright, then."

  16. Rough translation by ctid · · Score: 4, Funny
    testing has been completed earlier than anticipated

    Our customers are getting pwn3d.
    --
    Reality is defined by the maddest person in the room
    1. Re:Rough translation by sharkey · · Score: 2, Interesting

      Since when did that matter to Bill & Co.?

      --

      --
      "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  17. I know, I know... by Eberlin · · Score: 3, Insightful

    Damned if they send out patches as they're made (too many, too confusing) and damned if they wait 'til Patch Tuesday (negligent, inconsiderate).

    We can't have it both ways, and neither should they. I say send out patches as they're made and let the sysadmins be responsible for whether they can keep up or not. It may be difficult to admin many machines that have to be patched but I'd rather have fixes available ASAP and put the burden on IT to apply them.

    Yeah, there are patches that will break stuff and ample testing should be done anyway...but does rolling them all into a Patch Tuesday really change that fact? Probably not.

    With this sentiment, we can put more pressure on Patch Tuesday for what it really is -- a Trustworthy Computing PR stunt in which the number of fixes and vulnerabilities seems to be lower (since we're only patching once a month...maybe).

    All that said, kudos to MS for reacting...but unkudos for taking this long...and major unkudos for being naive about the WMF design to begin with.

  18. It still took a long time! by LinuxDon · · Score: 3, Interesting

    The exploit writers have had the exploit ready for quite a while now.
    While MS was 'testing' everyone has been installing 'fixes' from other sites..
    Even IF their patch was not 100% it wouldn't really have mattered in this case.

    There was a gaping security hole in their OS and they still needed 12 days to come up with a fix!
    For such a large company whose software is being used by *millions* of people worldwide and 7 billion a quarter profit, they've sure taken their sweet time!

    Why don't they take some 0.01 procent of that 7 billion and test/release it sooner?

  19. Error in the summary... by Ransak · · Score: 3, Funny
    The security update will be available at 2:00 pm PT as MS06-001.

    ... meaning all us east coast admins will be staying late tonight. Joy.

    --
    "Powers. I have them."
  20. Clip Art by scolby · · Score: 2, Interesting

    Intrigued with the broo-haha surrounding WMFs, I did a search for them on my machine. The only WMFs I found were Microsoft's clip art. Which begs the question: is there anyone out there who isn't Microsoft who commonly uses this file type?

  21. Early release to catch out the hackers by briqui · · Score: 3, Insightful

    Telling everyone that they are going to wait till Tuesday to patch the problem, then releasing a patch 5 days earlier might actually be quite a neat trick.

    I'm sure a lot of people out there who were planning to taking advantage of this problem have been thinking that they have till Tuesday to write a really good exploit, and therefore not hurrying too much.

    Now Microsoft come along and patch it early.

    I don't know about anyone else but I was expecting Monday do be a day from hell...

    1. Re:Early release to catch out the hackers by bogie · · Score: 2, Interesting

      "I'm sure a lot of people out there who were planning to taking advantage of this problem have been thinking that they have till Tuesday to write a really good exploit, and therefore not hurrying too much."

      I don't believe that for a second. People who wanted to take advantage of this flaw had their code done with 48hrs of the public disclosure. No serious hackers we waiting till this weekend to try and catch some people. It's a race you see. The last thing they wanted was to wait a week and let Antivirus makers and consumers get wise to this and start taking precautions.

      IMHO MS releasing this early is due to bad PR and massive pressure from customers. I think it had nothing to do with "tricking" crackers.

      And I also want to say thanks to a "real" hacker. Running around like crazy to install that 3rd party patch probably saved me from mucho headaches. Jeers to MS to taking so freaking long.

      --
      If you wanna get rich, you know that payback is a bitch
  22. Right... by Anonymous Coward · · Score: 2, Funny

    Does this mean I can't have an image file that creates bouncing pictures hopping around on my screen with some guy screaming that I am looking at gay porno?

    srsly, fuck u miKKKro$haft

  23. The Real Reason by guaigean · · Score: 2, Insightful

    Actually they are doing this to save face. The reason it is being put out "early" is because someone else wrote a fix for it already. People apparently flowed to this other site for the patch, and people started wondering what the problem was. Here was a person who without the Windows source fixed the bug, while Microsoft itself with full access to the code was delaying. In order to save face they had to rapidly deploy it rather than sit on it as they normally do.

    --
    Microsoft Sucks, F/OSS Rocks. I get mod points now right?
    1. Re:The Real Reason by TubeSteak · · Score: 3, Informative

      The other guy didn't fix the bug.

      he did not fix it

      All the 3rd party patch did was implement a workaround.

      --
      [Fuck Beta]
      o0t!
    2. Re:The Real Reason by TubeSteak · · Score: 2, Funny

      this vulnerability isn't a bug

      lol, it's a feature.

      these jokes write themselves.

      --
      [Fuck Beta]
      o0t!
  24. 2000, XP, 2003, but no 3.10, 3.11, 95, 98, or ME? by mosel-saar-ruwer · · Score: 2, Informative

    I'm only getting hits on 2000, XP, and 2003:
    http://www.microsoft.com/downloads/results.aspx?fr eetext=KB912919
    According to the Financial Times article highlighted at Drudge, Hyppönen said the vulnerability is supposed to hit "every Windows operating system since 1990".

    So is there a patch for older versions of Windows?

  25. Sober is the reason IMHO by PaxTech · · Score: 2, Interesting
    There's speculation that when sober.z goes into action tomorrow it may try to download a WMF exploit, hence the quick turnaround on the patch.

    I think that by this point Microsoft is pretty much numbed when it comes to public embarrassment.

    --
    All movements for social change begin as missions, evolve into businesses, and end up as rackets.
  26. Does *not* require Internet Explorer... by SenorCitizen · · Score: 4, Informative
    Thank you for your interest in obtaining updates from our site. To use this site, you must be running Microsoft Internet Explorer 5 or later.

    Funny, yes, but not true. The patch is available here:

    http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx

    Just downloaded it with Firefox. It's just Windows Update that requires IE.

  27. 3rd party did not patch vulnerability by badriram · · Score: 3, Insightful

    They just blocked the execution of the vulnerable function. This to me a mitigation method not a patch. Think of it as, there is a vulnerability in mod_rewrite within apache, and a third party "patch", just disables it, to secure apache.

  28. Fixes already in the wild though? by shoptroll · · Score: 2, Informative

    This wouldn't have anything to do with the fact that the fix got leaked early, would it?

    http://grc.com/sn/notes-020.htm

    --
    Insert Sig Here
  29. Re:2000, XP, 2003, but no 3.10, 3.11, 95, 98, or M by MightyMartian · · Score: 2, Funny

    Boy, all those guys running web servers under DOS 5 must be pissing their pants!

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  30. Why not... by darthservo · · Score: 2, Funny

    Use the exploit to their advantage? Just change their logo to a WMF and use the exploit to push the patch out?

    --

    Prove it.

  31. Re:early my eye by javaxman · · Score: 4, Interesting
    It's the old "SCOTTIE" trick. They say they need until the 10th to test and patch and make sure it works and then they WOW us by being able to release it early. They had it ready before now, they are just trying to salvage what little they have out of this fiasco.

    They had it ready, if by ready you mean a version had been compiled and 'tested' once on the developer's machine.

    Trust me, right now in Redmond there's a whole team of Quality Assurance Engineers who are looking at their test plans, scratching their heads, and once again calling into question the actual value of their work, given that some manager can arbitrarily decide when it's time to rush a release regardless of what the schedule said or what the impact of a patch was or which cases remain un-tested. That, and they're really, really tired after pulling a couple of all-nighters.

    Have fun testing that patch.

  32. Sadly no by badriram · · Score: 2, Informative

    Here is the FAQ from the KB
    -----
    Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) were previously listed as affected, but are no longer listed. Why is that?
    Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, at this point in the investigation, an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions. Per the support life cycle of these versions, only vulnerabilities of Critical severity would receive security updates. For more information about the security update support policy for these versions of Windows, visit the following Web site.
    -----

    Although I do believe they should be patching this.

    1. Re:Sadly no by diersing · · Score: 2, Insightful
      There are a *lot* of companies apparently with their collective heads up their asses.

      If you are in this predicament, of supporting an NT4 environment - I feel for you, I really do. Seriously at some point avoiding the costs of upgrades is going hurt more then cutting the dang check.

      ask not for whom the bell tolls...

    2. Re:Sadly no by Tony+Hoyle · · Score: 3, Insightful

      No, they're just companies that can't spend half a million dollars upgrading hardware and software just to run the latest whizz-bang eye candy from microsoft, when what they have works just fine.

      Over 40% of our customers are NT4 shops. Some of them are *big*.

    3. Re:Sadly no by Pii · · Score: 3, Informative
      Actually, the reason there's no attack vector is because while the same vulnerability on older versions of Windows, older versions of Windows don't have the Microsoft Picture and Fax Viewer configured as the default file handler for .wmf files.

      Ironic, as the older operating systems come from a time when that format may have been relevant. It's kind of funny that only after the Windows Metafile became obsolete did MS choose to create a default program association.

      --
      For those that would die defending it, Freedom
      has a sweet taste that the protected will never know.
  33. will? or did.. by mottie · · Score: 3, Interesting

    Posted by CmdrTaco on Thursday January 05, @12:56PM (3:56PM EST)

    Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm EST

    talk about releasing the news late.. the patch was already out by the time slashdot had the "news" that microsoft would be releasing the patch.

  34. Re:Old Systems by VAXcat · · Score: 2, Insightful

    It they're still running Windows 95/98, it already sucked to be them...bug, patch, or no...

    --
    There is no God, and Dirac is his prophet.
  35. Who gets up early? by mmell · · Score: 2, Funny
    At a recent Comdex event, Bill Gates announced to the world "I am Microsoft!"

    His wife could not be reached to comment on this!

    ***rimshot***

    Thanks folks! I'll be here all week. Don't forget to tip the wait staff.

  36. "testing ... completed earlier than anticipated" by antispam_ben · · Score: 4, Insightful

    Translation: "Our ass needed covering even earlier than anticipated."

    --
    Tag lost or not installed.
  37. 1st Party did not patch vulnerability either, then by algae · · Score: 2, Informative

    By your logic, Microsoft also has not patched the vulnerability. From the MS006-001 FAQ:

    Does this update contain any security-related changes to functionality? Yes. The change introduced to address this vulnerability removes the support for the SETABORTPROC record type from the META_ESCAPE record in a WMF image. This update does not remove support for ABORTPROC functions registered by application SetAbortProc() API calls.

    So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.

    --
    Causation can cause correlation
  38. Early? by BumpyCarrot · · Score: 2, Insightful

    Early would have been before the original flawed release, surely?

    --
    Do you see what I did there?
  39. Win 98, Win 98 SE, Win 89 ME by IEBEYEBALL · · Score: 2

    Where are the patches for Win 98, Win 98 SE, and Win 98 ME? Microsoft rates this as a critical exploit and is supposed to release patches for critical exploits so where are they? Millions of people still use these operating systems.

    --
    -- SKYKING, SKYKING, DO NOT ANSWER.
  40. Re:2000, XP, 2003, but no 3.10, 3.11, 95, 98, or M by Mercano · · Score: 3, Informative

    I never thought back then that memory leak could mean buffer overflow which could mean security vulnerability

    In this case, its not a buffer overflow bug. In fact, its not even a bug, per say. Its a feature, or at least a really bad design flaw that no one has stumbled upon/abused up until now. See F-Secure's writeup.

    --
    #include <signature.h>
  41. Re:2000, XP, 2003, but no 3.10, 3.11, 95, 98, or M by jschottm · · Score: 4, Informative

    Microsoft's policy is that they will only release critical patches for 9X/ME systems because they have EOLed them. Their study of the vulnerability found that while those systems are vulnerable, that it is not critical because no attack vector has been identified. Whether or not you trust their assessment is another question, but that's why there's no patch for them. See questions 2, 3, and 4 in the FAQ.

    http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx

    I suspect 3.x is the same, but really, if you're using 3.10 as a desktop...

  42. Re:Ilfak's unofficial patch did not require a re-b by MntlChaos · · Score: 2, Informative

    Ilfak's patch required a reboot to start applying to new processes, rtffaq.

  43. "Early" was LAST WEEK by Philip+K+Dickhead · · Score: 2, Insightful

    This is "Less late".

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
  44. NO! by baadger · · Score: 5, Informative

    So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.

    The MS patch removes the call in the WMF rendering engine that calls the gdi32 Escape() function with the SETABORTPROC parameter. The 3rd party runtime patch thats been around 'for a week' killed the Escape() function's ability to receive the SETABORTPROC procedure in _all user32.dll bound applications_ called by _anything_ for _any purpose_, 'breaking' more than just the WMF rendering caller.

    Microsoft couldn't have done any better because this wasn't a coding error like a buffer overflow, it was an ancient long forgotten genuine feature.

    1. Re:NO! by baadger · · Score: 2, Funny

      If i tell you he or she might throw a chair at me and/or fucking kill me

  45. Microsoft Bashing by OpenMynded · · Score: 2, Insightful
    Events like this WMF Exploit only prove two things.

    1. People like to b*tch about everything no matter how good they have it.
    2. Most of the people here would still hate Microsoft even if Bill gave up 75% of Microsoft's yearly profit to fund cancer research. You'd all whine "Why can't Billy give 90%, that evil, crooked b@stard."

    All you Billy-bashing knuckle-draggers can't even fathom the fact that if Mac OSX or RedHat were the top dog in enterprise sales and Microsoft was the undercapitalized weakling, viruses, worms, and spyware would no longer exist for the Win32 platform. Why would the hackers and script kiddies spend all time and effort trying to target only 20% of the market?

    You also don't have the mental capacity to appreciate Microsoft's innovative contributions to the IT industry, either directly or indirectly. Many of our current technologies were spurned directly from the spirit of competition against Microsoft. So MS buys someone out. Why hate MS? Why don't you hate the seller for selling out? You are all just looking for something to whine about.

  46. Re:non IE link please by Captain+Chaos · · Score: 2, Informative

    Yes this was also in another post, but here you go:
    http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx
    I was able to download the XP and 2000 patches just fine with Firefox from that link.

  47. How bloody typical .......... by Gorshkov · · Score: 2, Informative

    Thank you for your interest in obtaining updates from our site.
    To use this site, you must be running Microsoft Internet Explorer 5 or later.
    To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.

    How bloody typical ..... I use firefox so I don't have to use their crap any more than I have to, but I have to use their crap in order to fix another piece of their crap .....

  48. WMF Patch killed Firefox! by jhall · · Score: 2, Informative

    Has anyone else noticed that after installing the "WMF Patch" you now have a "My Websites on MSN" site in your "My Network Places" and that Firefox v1.0.7 now hangs on load? That's a good way to win the browser war. Great job Microsoft!