Robert Lemos, SecurityFocus 2006-01-12
For four days in January, network administrators and security-savvy home users had a choice: Download and install an unofficial open-source fix for the critical flaw in the Windows Meta File (WMF) format or wait an estimated week for an official patch from Microsoft.
Colapse all |
Post comment
What Microsoft needs to be doing...
2006-01-12
Eric (2 replies)
Eric (2 replies)
Re: What Microsoft needs to be doing...
2006-01-13
Matthew Murphy (1 replies)
Matthew Murphy (1 replies)
They're very much customer-driven, just not by the customers you might think. They're "driven" by large corporate customers that think of IT as a non-necessity, a resource. They also have resources to throw behind occasional risk management in the face of a REPORTED zero-day threat. Publicly-know...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: What Microsoft needs to be doing...
2006-01-13
Eric
Eric
No, I can't believe that they're driven by large customers. At least when I worked there that was not the case. Neither were they driven by small customers.
I've NOT in favor of "they should audit and review, and not work on new code". What I said was, "an inordinate amount of their resources ar...
[ more ] [ reply ]
I've NOT in favor of "they should audit and review, and not work on new code". What I said was, "an inordinate amount of their resources ar...
[ more ] [ reply ]
Alternative solution
2006-01-13
mxb (2 replies)
mxb (2 replies)
The alternative solution to the problem for Microsoft is to release two patches. The first is a ``beta'' patch which has been testing on the main pieces of software (Windows 2000/XP/2003, SQL server etc), newer software which runs on servers and the majority of machines. Due to the less testing invo...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Alternative solution
2006-01-13
DSMatthews
DSMatthews
Great idea!
If the update profiles your system it can tell you what it has been tested against, then M$ can focus on testing the systems and apps that are used most, then get on to the rest later.
As soon as somthing is signed off as tested the update servers know about it and they can compar...
[ more ] [ reply ]
If the update profiles your system it can tell you what it has been tested against, then M$ can focus on testing the systems and apps that are used most, then get on to the rest later.
As soon as somthing is signed off as tested the update servers know about it and they can compar...
[ more ] [ reply ]
Re: Alternative solution
2006-01-13
Anonymous
Anonymous
The problem with that is, sometimes a patch can cause other problems (i.e. breaking other software, corrupting databases, rather soundly screwing up user account, and the list goes on). It's best to be sure you aren't creating more problems before releasing the patch. Sometimes the additional prob...
[ more ] [ reply ]
[ more ] [ reply ]
Make'em pay!
2006-01-13
assurbanipal
assurbanipal
It's time to make these big corporations liable for their errors, and pay!
Of course it's impossible to guarantee software to be bug-free, but at least one should demonstrate enough "due diligence" in designing and writing stuff. Something these alleged software giants, and particularly Micro$oft, ...
[ more ] [ reply ]
Of course it's impossible to guarantee software to be bug-free, but at least one should demonstrate enough "due diligence" in designing and writing stuff. Something these alleged software giants, and particularly Micro$oft, ...
[ more ] [ reply ]
The Squander of MS Admins && Users
2006-01-13
Anonymous (1 replies)
Anonymous (1 replies)
Administrators and IT managers are to
blame, not Microsoft. Microsoft is a criminal
corporation taking advantage of the publics
ignorance, and selling a product full of
security and compatibility flaws. I find it
funny that so many blame Microsoft, when the
blame is to rest on those who sup...
[ more ] [ reply ]
blame, not Microsoft. Microsoft is a criminal
corporation taking advantage of the publics
ignorance, and selling a product full of
security and compatibility flaws. I find it
funny that so many blame Microsoft, when the
blame is to rest on those who sup...
[ more ] [ reply ]
Re: The Squander of MS Admins && Users
2006-01-16
Anonymous (1 replies)
Anonymous (1 replies)
So... if open source is so leet and would've prevented this (like my Mum with 60,000 lines of C++ would've helped), why is Wine vulnerable?...
[ more ] [ reply ]
[ more ] [ reply ]
where come from a zero-day flaw
2006-01-15
lucmars
lucmars
You may have heard, according to S. Gibson from media.grc.com, the wmf flaw seems to be an "undocumented Windows feature" : the Escape/SETABORTPROC procedure can respond to a specific value, normally impossible, from which Windows goes directly to the code included in the metafile and execute it.
So...
[ more ] [ reply ]
So...
[ more ] [ reply ]
Patch from Guilfanov was not the only one
2006-01-16
Juha-Matti Laurio
Juha-Matti Laurio
AV vendor ESET released their own patch on 4th January as a ZIP package too, and it was reportedly working in Windows 98/98SE systems too.
The download link was removed after the official MS06-001 release, only one day later on Thursday.
Additionally, the official press release has been update...
[ more ] [ reply ]
The download link was removed after the official MS06-001 release, only one day later on Thursday.
Additionally, the official press release has been update...
[ more ] [ reply ]
Unofficial fix eliminates GDI32 Escape() functionality in Windows 98SE
2006-01-16
Juha-Matti Laurio
Juha-Matti Laurio
Information about new unofficial patch to eliminate GDI32 Escape() functionality in Windows 98SE has been released on Saturday Jan 14:
http://blogs.securiteam.com/index.php/archives/210
The author published source code (like Ilfak Guilfanov did) too and the process "was inspired by Ilfak?s fix f...
[ more ] [ reply ]
http://blogs.securiteam.com/index.php/archives/210
The author published source code (like Ilfak Guilfanov did) too and the process "was inspired by Ilfak?s fix f...
[ more ] [ reply ]
[ more ] [ reply ]