Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Patch WMF Exploit Early

Posted by CmdrTaco on from the well-i-guess-early-is-relative dept.

Chran writes "Microsoft has just announced that they will release a security update for the .WMF-exploit today at 2pm ET, instead of Tuesday, as originally planned. Microsoft writes: "Microsoft originally planned to release the update on Tuesday, January 10, 2006 as part of its regular monthly release of security bulletins, once testing for quality and application compatibility was complete. However, testing has been completed earlier than anticipated and the update is ready for release. In addition, Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible."

24 of 306 comments (clear)

  1. Reactive vs Proactive by biocute · · Score: 5, Insightful

    Microsoft is releasing the update early in response to strong customer sentiment that the release should be made available as soon as possible.

    It would have been nicer if they make patches available as soon as possible with or without strong customer sentiment.

    --
    Virtual Betting on Facebook for non-geeks.
    1. Re:Reactive vs Proactive by Anonymous Coward · · Score: 5, Informative

      Patch has been released.
      Get it here http://www.microsoft.com/technet/security/Bulletin /ms06-001.mspx

      According to the folks at F-secure, it co-exists well with Ilfak's unofficial patch as well as the REGSVR32 workaround. Read their blog here. http://www.f-secure.com/weblog/archives/archive-01 2006.html#00000771

    2. Re:Reactive vs Proactive by cnettel · · Score: 5, Interesting
      For an out-in-the-wild exploit, I would agree. For one that is currently, to their knowledge, not known among the script kiddies of the world, I'm not so sure. Releasing a patch will, generally, make those who are not yet prepared to implement it more vulnerable, if it means that knowledge of details is more wide-spread.

      I think that some corporate users (especially) are quite thankful for patch Tuesdays; especially those that have been bitten by some compatibility issue previously and can't just run autoupdate of all desktops at night, but rather want to roll it out manually.

      Again, this is not the case here, this exploit was discovered in the wild and it's spreading right now.

    3. Re:Reactive vs Proactive by grcumb · · Score: 4, Insightful

      "If the impact is huge, testing of more obscure cases can be deferred somewhat. If the impact is small, more time can be taken."

      I'm with you so far....

      "So if there hadn't been any customer sentiment (i.e. no one cared), it would make no sense to rush the patch and risk breaking something."

      Err, that's a non-sequitur. Whether customers care or not has nothing to do with the cost/benefit analysis that decides the timing and scope of an initial patch. A software company should never rely on its customers to perform risk analysis. If it's serious (and the WMF flaw is egregiously so), then you find a way to protect your customers as quickly and effectively as you can. In some cases - though certainly not all - you can even accept shortcomings in the patch itself if significantly reduces the risk.

      The third-party patch, for example, causes issues with the Windows printing subsystem. People voiced suspicions that this might be the case right from the start, though confirmation only came through earlier today. To my mind, that was an acceptable risk. A server that can't perform some print tasks and won't show pretty preview icons is worth a heck of a lot more to me than one that's 0wned by some random script kiddy.

      And before some astroturfing twit spouts the simplistic, binary logic of 'MS is damned if they do and damned if they don't', I'd like to say from experience that deciding the timing of a security patch is a terribly difficult process. It requires the right amount of analytical skill, deep technical expertise, a healthy dose of horse sense and exactly the right measure of patience. Too much or too little of any of these can result in exactly the wrong kind of response.

      Patching is not about being a nice guy. It's not about what your customers think of you. There should be no marketing or sales angle in the creation or timing of a security patch. You determine the scope and severity of the threat, be as thorough as you can reasonably hope to be (and that's never as thorough as you'd like), and deliver it as soon as you reasonably can.

      I'm in complete agreement with this handler's diary from isc.sans.org concerning Microsoft's announcement that they would issue the patch at the regularly scheduled time. Given the severity of the flaw, it's unconscionable that they should leave their customers exposed for so long. The fact that they only decided to release the patch out of cycle in response to their users demonstrates that they're far more worried about their image than they are about their software. This does not bode well at all for them. Or for their customers, for that matter.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  2. and millions of /.'ers groan... by B00yah · · Score: 5, Funny

    Thank you for your interest in obtaining updates from our site.

    To use this site, you must be running Microsoft Internet Explorer 5 or later.

    To upgrade to the latest version of the browser, go to the Internet Explorer Downloads website.

    --

    How Jaded Are You?
    1. Re:and millions of /.'ers groan... by l1_wulf · · Score: 4, Informative

      Actually, the only reason IE is vulnerable but FF & Opera is not, is because the other big name browsers associate WMF files with Media Player instead of Picture and Fax viewer. WMP does nothing with WMF files, therefore nothing happens when exposed to the vulnerability. On the other hand, should the offending graphic actually get on your hard drive and you use Google Desktop, you will be vulnerable due to the indexing done immediately after download (obviously, if you have indexing turned off for graphics, this won't happen).

    2. Re:and millions of /.'ers groan... by cnettel · · Score: 4, Informative

      I'm not so sure about that. Yes, some picture loading libraries provided in Windows will do this. No, LoadBitmap won't (it's not a bitmap!). IIRC, Firefox doesn't use the same high-level libraries, as they are rolling their own code on all platforms. So, no, it won't happen. You can easily try this if you have a valid WMF file lying around. Rename it to JPG and open in FF. It won't render, complaining about an invalid header. Rename a valid PNG to JPG or a valid JPG to PNG, though, and it renders just fine. Firefox does auto-detection of image type, but not autodetection of WMF.

  3. Feh ! by witte · · Score: 5, Funny

    No problem... there's plenty of other exploits for windows.

  4. Splendid... by Hymer · · Score: 4, Insightful

    ...only 10 days too late...
    ---
    tis is not a FP

  5. 3rd person by kennygraham · · Score: 5, Funny
    Microsoft writes: "Microsoft originally planned...
    kennygraham is glad that they're patching it early.
  6. is their face red by zietlow · · Score: 5, Funny

    "in response to strong customer sentiment" Ie we look foolish that the community was able to fix it sooner than we were. Here you go, we're not that bad afterall, see?

    Let's be friends again.

    --
    Slashdot # 199661 the number that's the same upside down and right side up
  7. So early? by flicken · · Score: 4, Funny

    They would have released it earlier, but their test machines kept getting hacked...

    --
    20 mil and I will! Learn Esperanto with 20M others.
  8. Re:8 Days to patch by Anonymous Coward · · Score: 5, Insightful

    ProTip : If a third party can patch it faster than you, without access to the original source code - you suck.

  9. Thank you, Big Brother by Gadren · · Score: 5, Insightful

    "It appeared that there had even been demonstrations to thank Big Brother for raising the chocolate ration to twenty grammes a week. And only yesterday, he reflected, it had been announced that the ration was to be reduced to twenty grammes a week. "

  10. MS Gets Up Early To Issue Patch! by Quiet_Desperation · · Score: 5, Funny
    "I usually sleep in to a reasonable hour for a Thursday, like, noon," said Microsoft, appearing at 8am at a press conference outside a Hardee's in Iowa, dressed in slippers and a blue bathrobe with the words 'Sexy Grandpa' emblazoned on the back. "But all you whiiiiiiiiners wouldn't let me get my rest. So I'll crank this thing out and have it on Windows Update by 11am."

    "When will the patch for the patch be released?" asked Fox News correspondent Bubbles McConnifer, causing the press corps to giggle like schoolgirls in heat.

    "Smile when you said that, bitch," growled a visibly angered Microsoft, who then motioned to two pinstripe suited thugs who escorted Ms. McConnifer from the press conference.

    "Any other questions, whores?" asked Microsoft, placing fists on hips and allowing his 'MS Certified Otakus Rule!' T-Shirt to be seen. His query was greeted by silence. "Well alright, then."

  11. Rough translation by ctid · · Score: 4, Funny
    testing has been completed earlier than anticipated

    Our customers are getting pwn3d.
    --
    Reality is defined by the maddest person in the room
  12. Re:8 Days to patch by MatD · · Score: 5, Funny
    I'm a third party, and I can patch it right now without even touching the code. Just beat your hard drive with a hammer, and you will be immune to the exploit.

    I have no idea what the side effects of this will be for your other applications (because I didn't do any regression testing), but I'm not MS, so I don't really care. Mat

    --
    Since when did operating systems become a religion?
  13. Does *not* require Internet Explorer... by SenorCitizen · · Score: 4, Informative
    Thank you for your interest in obtaining updates from our site. To use this site, you must be running Microsoft Internet Explorer 5 or later.

    Funny, yes, but not true. The patch is available here:

    http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx

    Just downloaded it with Firefox. It's just Windows Update that requires IE.

  14. Re:early my eye by javaxman · · Score: 4, Interesting
    It's the old "SCOTTIE" trick. They say they need until the 10th to test and patch and make sure it works and then they WOW us by being able to release it early. They had it ready before now, they are just trying to salvage what little they have out of this fiasco.

    They had it ready, if by ready you mean a version had been compiled and 'tested' once on the developer's machine.

    Trust me, right now in Redmond there's a whole team of Quality Assurance Engineers who are looking at their test plans, scratching their heads, and once again calling into question the actual value of their work, given that some manager can arbitrarily decide when it's time to rush a release regardless of what the schedule said or what the impact of a patch was or which cases remain un-tested. That, and they're really, really tired after pulling a couple of all-nighters.

    Have fun testing that patch.

  15. Re:8 Days to patch by croddy · · Score: 5, Insightful
    1. Release patch 8 days late
    2. Describe it as an "early" release
    3. ???
    4. Profit!!!
  16. "testing ... completed earlier than anticipated" by antispam_ben · · Score: 4, Insightful

    Translation: "Our ass needed covering even earlier than anticipated."

    --
    Tag lost or not installed.
  17. Re:2000, XP, 2003, but no 3.10, 3.11, 95, 98, or M by jschottm · · Score: 4, Informative

    Microsoft's policy is that they will only release critical patches for 9X/ME systems because they have EOLed them. Their study of the vulnerability found that while those systems are vulnerable, that it is not critical because no attack vector has been identified. Whether or not you trust their assessment is another question, but that's why there's no patch for them. See questions 2, 3, and 4 in the FAQ.

    http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx

    I suspect 3.x is the same, but really, if you're using 3.10 as a desktop...

  18. Re:8 Days to patch by TubeSteak · · Score: 4, Funny

    Your method sounds pretty easy.

    Do I have to reboot afterwards?

    --
    [Fuck Beta]
    o0t!
  19. NO! by baadger · · Score: 5, Informative

    So, they basically used exactly the same workaround as the 3rd party patch that's been out for a week.

    The MS patch removes the call in the WMF rendering engine that calls the gdi32 Escape() function with the SETABORTPROC parameter. The 3rd party runtime patch thats been around 'for a week' killed the Escape() function's ability to receive the SETABORTPROC procedure in _all user32.dll bound applications_ called by _anything_ for _any purpose_, 'breaking' more than just the WMF rendering caller.

    Microsoft couldn't have done any better because this wasn't a coding error like a buffer overflow, it was an ancient long forgotten genuine feature.