Microsoft has an updated advisory on the WMF vulnerability

Uncategorized 1 Minute

The Security Response Center has posted an updated advisory about the WMF Vulnerability. Says a patch is coming January 10.

Published by Robert Scoble

I help entrepreneurs build their technology business' story, help with getting ready for investors, with other launch plans, and many other strategic things that can help your new startup. Call to talk: +1-425-205-1921 (text first).

Published

61 thoughts on “Microsoft has an updated advisory on the WMF vulnerability

  1. I’ve had three people tell me they’re switching to a Mac this week, it’s not because of WMF necessarily but it’s probably the the straw that broke the camel’s back. That it’s going to be a week for an official patch is a pretty big black mark on Microsoft’s image, what if this exploit had come out immediately after last patch tuesday, would it have been a whole month instead of two weeks?

    Like

  2. I’ve had three people tell me they’re switching to a Mac this week, it’s not because of WMF necessarily but it’s probably the the straw that broke the camel’s back. That it’s going to be a week for an official patch is a pretty big black mark on Microsoft’s image, what if this exploit had come out immediately after last patch tuesday, would it have been a whole month instead of two weeks?

    Like

  5. I agree with Bob – this a serious setback to Micrsoft credibility on security and their own resposniveness. My blog catches some of the pundits reactions here . Not a good way to start the New Year in which Microsoft will face serious competitive thrusts from Appletel and Google (!???).

    Like

  6. I agree with Bob – this a serious setback to Micrsoft credibility on security and their own resposniveness. My blog catches some of the pundits reactions here . Not a good way to start the New Year in which Microsoft will face serious competitive thrusts from Appletel and Google (!???).

    Like

  7. Ah, a write-only-by-MSFT blog. How handy! No easy way to leave a comment nor a way to see what others are going through.

    I’m sure MSFT is afraid of the slashdot crowd posting “you sux0rz!” — but MSFT could implement a system to approve comments. That and requiring legit email account (don’t make me sign up for a .NET / passport account that I’ll never use) would be handy.

    Like

  8. Ah, a write-only-by-MSFT blog. How handy! No easy way to leave a comment nor a way to see what others are going through.

    I’m sure MSFT is afraid of the slashdot crowd posting “you sux0rz!” — but MSFT could implement a system to approve comments. That and requiring legit email account (don’t make me sign up for a .NET / passport account that I’ll never use) would be handy.

    Like

  9. A re-thinking of the roll-out strategy might be called for. The “second Tuesday of the month” schedule was, I think, set to make it easier for corporate customers to plan updates, but this exploit will primarily affect consumers who are more likely to surf into bad sites or click links in spam emails. It should be made available as soon as it’s ready.

    Like

  10. A re-thinking of the roll-out strategy might be called for. The “second Tuesday of the month” schedule was, I think, set to make it easier for corporate customers to plan updates, but this exploit will primarily affect consumers who are more likely to surf into bad sites or click links in spam emails. It should be made available as soon as it’s ready.

    Like

  11. I stuck with Microsoft since 95, this last vulnerability and the Channel 9 interview with the kernel team and their misgivings about the registry….was the last straw for me. With Intel based Macs on the way,2006 will be the year that I will give Apple a serious try.

    Like

  12. I stuck with Microsoft since 95, this last vulnerability and the Channel 9 interview with the kernel team and their misgivings about the registry….was the last straw for me. With Intel based Macs on the way,2006 will be the year that I will give Apple a serious try.

    Like

  13. Jan 10th? Wow, rapid response there. Heh, I do notice you retreating to the ‘there is a fix coming, all I can say’. (I predicted such when you went on a big openness bang). Why if this was an airline passing out religious literature or a Lock Company not blogging, you’d go ballastic. 😉

    Just got done fixing (I hope) 2 machines chock full of spyware/malware rot, and both are SP2 fully-patched (P2P free) and loaded to the brim with protections, defs on all were sorta behind, but then these are End User machines, they don’t jump thru a dozen hoops to do such.

    The recipe: Antispyware scanners (Lava, SpyBot), Webroot’s Spy Sweeper and Spyblaster (protector), Antivirus (AVG or whatever the End User already has), Anti-trojan(s), An anti-pop-upper that actually works, Peer Guardian 2, Rootkit scanner(s), a specialized Anti-keylogger, Clean up Internet files program(s), an IM protect and encrypt program, Blackice (it’s needed) and now an unoffical patch. Whew, did I miss anything? If you think that list is a tad redundant, I promise you, it is not. Spybot sees stuff Lava or SpySweeper doesn’t, and vice-versa.

    Letmee guess, everything will be fixed in Vista? Yeah, something tell me I will have to cook up a new recipe for Vista.

    Sure wish Apple had an Enterprise story with real marketshare, telling people to get Macs doesn’t work, not always, and fiddlesticks to the Linux zealots. I like (rather love) Redhat and all, but that won’t pull in the End User, sorry. But irony of ironies, Russell switches just in time for an wake-up call reminder of what he’s been missing. 😉

    Like

  14. Jan 10th? Wow, rapid response there. Heh, I do notice you retreating to the ‘there is a fix coming, all I can say’. (I predicted such when you went on a big openness bang). Why if this was an airline passing out religious literature or a Lock Company not blogging, you’d go ballastic. 😉

    Just got done fixing (I hope) 2 machines chock full of spyware/malware rot, and both are SP2 fully-patched (P2P free) and loaded to the brim with protections, defs on all were sorta behind, but then these are End User machines, they don’t jump thru a dozen hoops to do such.

    The recipe: Antispyware scanners (Lava, SpyBot), Webroot’s Spy Sweeper and Spyblaster (protector), Antivirus (AVG or whatever the End User already has), Anti-trojan(s), An anti-pop-upper that actually works, Peer Guardian 2, Rootkit scanner(s), a specialized Anti-keylogger, Clean up Internet files program(s), an IM protect and encrypt program, Blackice (it’s needed) and now an unoffical patch. Whew, did I miss anything? If you think that list is a tad redundant, I promise you, it is not. Spybot sees stuff Lava or SpySweeper doesn’t, and vice-versa.

    Letmee guess, everything will be fixed in Vista? Yeah, something tell me I will have to cook up a new recipe for Vista.

    Sure wish Apple had an Enterprise story with real marketshare, telling people to get Macs doesn’t work, not always, and fiddlesticks to the Linux zealots. I like (rather love) Redhat and all, but that won’t pull in the End User, sorry. But irony of ironies, Russell switches just in time for an wake-up call reminder of what he’s been missing. 😉

    Like

  15. This is bad. This is very, very, very bad. I’m a loyal, long-time Microsoft customer, and I consider this to be an unacceptably bad response time from the MSRC on making a patch available for what is a serious vulnerability. It’s pretty blatantly obvious that this is a *process* problem, not a technological problem. Microsoft can do better than this. This patch should be released before January 10th, even if it’s only the English version for XP SP2. Administrators and users will grudgingly accept multiple patches in a short amount of time, if necessary, but allowing them to go weeks without a patch while numerous machines get compromised is, quite simply, a poor business decision.

    Like

  16. This is bad. This is very, very, very bad. I’m a loyal, long-time Microsoft customer, and I consider this to be an unacceptably bad response time from the MSRC on making a patch available for what is a serious vulnerability. It’s pretty blatantly obvious that this is a *process* problem, not a technological problem. Microsoft can do better than this. This patch should be released before January 10th, even if it’s only the English version for XP SP2. Administrators and users will grudgingly accept multiple patches in a short amount of time, if necessary, but allowing them to go weeks without a patch while numerous machines get compromised is, quite simply, a poor business decision.

    Like

  17. I agree that this is going to be a long week. There are quite a few exploit toolkits out there. What would it take to get Micosoft to release an out of cycle patch if this one doesn’t warrant it? Microsoft should do better than this mess but can they?

    Like

  18. I agree that this is going to be a long week. There are quite a few exploit toolkits out there. What would it take to get Micosoft to release an out of cycle patch if this one doesn’t warrant it? Microsoft should do better than this mess but can they?

    Like

  19. Two Microsoft crisis’es, least reducing the pointless rampant speculation over ‘Google Cube’.

    Like

  20. Two Microsoft crisis’es, least reducing the pointless rampant speculation over ‘Google Cube’.

    Like

  21. Hah. Everyone will be pissed off until the 10th, Apple reveals new products on the 9th.

    Should be fun.

    Like

  22. Hah. Everyone will be pissed off until the 10th, Apple reveals new products on the 9th.

    Should be fun.

    Like

  23. Plus nothing like running up a new year and going into CES with this over your head. Anything Gates or Microsoft says will be overshadowed, and then hit with Apple spazz all over media, and now Scoble has flagged up Chinagate, as a new crisis. Man, do they need new Marketing drones or what? And HD-DVD talk? Please. That war is so lost, their arrogance won’t let them see it tho. Amd been monitoring the spolit sites, field day, and gif and jpg as “wmf” hacks anew. Long week indeed.

    Like

  24. Plus nothing like running up a new year and going into CES with this over your head. Anything Gates or Microsoft says will be overshadowed, and then hit with Apple spazz all over media, and now Scoble has flagged up Chinagate, as a new crisis. Man, do they need new Marketing drones or what? And HD-DVD talk? Please. That war is so lost, their arrogance won’t let them see it tho. Amd been monitoring the spolit sites, field day, and gif and jpg as “wmf” hacks anew. Long week indeed.

    Like

  25. Christopher: Glad we give you something to talk about. Imagine if we were perfect? Then what would you do?

    Like

  26. Christopher: Glad we give you something to talk about. Imagine if we were perfect? Then what would you do?

    Like

  29. Well Robert if Microsoft were closer to perfect then we’d have shipping software to talk about rather than who jumped where, or the new P.R. clumsiness, or the latest patch coming out on an arbitrary schedule that benefits Microsoft more than customers…

    Like

  30. Well Robert if Microsoft were closer to perfect then we’d have shipping software to talk about rather than who jumped where, or the new P.R. clumsiness, or the latest patch coming out on an arbitrary schedule that benefits Microsoft more than customers…

    Like

  31. I just heard from someone on the Windows OneCare beta, apparently it has been updated to protect users from the WMF exploit.

    Now, is this how it’s going to be in the future? The paying subscribers to OneCare get ‘protection’ and everyone else gets to wait however long it takes for a patch to be released?

    If so, that’s just sleazy, but nothing I haven’t come to expect from Microsoft lately.

    Like

  32. I just heard from someone on the Windows OneCare beta, apparently it has been updated to protect users from the WMF exploit.

    Now, is this how it’s going to be in the future? The paying subscribers to OneCare get ‘protection’ and everyone else gets to wait however long it takes for a patch to be released?

    If so, that’s just sleazy, but nothing I haven’t come to expect from Microsoft lately.

    Like

  33. Maybe we’ll all just have to start using windows every second Tuesday of the month to get it patched back up, and something else on the other days while we wait for the next patch.

    Like

  34. Maybe we’ll all just have to start using windows every second Tuesday of the month to get it patched back up, and something else on the other days while we wait for the next patch.

    Like

  35. Another HORRIBLE Microsoft response to security:

    http://arstechnica.com/news.ars/post/20060103-5891.html

    “For consumer products, security updates will be available through the end of the mainstream phase. For Windows XP Home Edition, there will be no security updates after 12/31/06.” Regarding paid support for problems unrelated to security patches, I was told that “Users who want to continue to receive support after the Microsoft assisted and paid support offerings have ended may visit the Retired Product Support Options Web site.”

    Like

  36. Another HORRIBLE Microsoft response to security:

    http://arstechnica.com/news.ars/post/20060103-5891.html

    “For consumer products, security updates will be available through the end of the mainstream phase. For Windows XP Home Edition, there will be no security updates after 12/31/06.” Regarding paid support for problems unrelated to security patches, I was told that “Users who want to continue to receive support after the Microsoft assisted and paid support offerings have ended may visit the Retired Product Support Options Web site.”

    Like

  39. Imagine if we were perfect? Then what would you do?

    Cty? 🙂 If perfect you’d be God. And if you were God, well I’d hafta worship. But thankfully that’s a hypothetical I never have to worry about, never ever. 😉

    PS – John will do…

    Like

  40. Imagine if we were perfect? Then what would you do?

    Cty? 🙂 If perfect you’d be God. And if you were God, well I’d hafta worship. But thankfully that’s a hypothetical I never have to worry about, never ever. 😉

    PS – John will do…

    Like

  41. Has anyone considered to use Hitman Pro (=free). With over eleven external antispyware progams it does everything for you.
    It now has “added Hotfix concerning the WMF vulnerability. The hotfix is created by Ilfak Guilfanov. Untill Hitman detects an official patch from Microsoft, this hotfix is automatically installed. To undo this fix simply uncheck the corresponding checkbox on the Protection tab (Hitman Pro Configuration)”.
    Look for it at http://www.hotmanpro.com

    Like

  42. Has anyone considered to use Hitman Pro (=free). With over eleven external antispyware progams it does everything for you.
    It now has “added Hotfix concerning the WMF vulnerability. The hotfix is created by Ilfak Guilfanov. Untill Hitman detects an official patch from Microsoft, this hotfix is automatically installed. To undo this fix simply uncheck the corresponding checkbox on the Protection tab (Hitman Pro Configuration)”.
    Look for it at http://www.hotmanpro.com

    Like

  47. Extract from http://richi.co.uk/blog/2006/01/wmf-security-hole-take-action.html

    “…Microsoft’s official position on what it calls ‘third-party patches’ amounts to: ‘It is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software.’

    Even Scobe seems to be toeing the party line.

    However, as F-Secure points out: ‘Ilfak Guilfanov isn’t just anybody. He’s the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.’

    Be careful out there.”

    Like

  48. Extract from http://richi.co.uk/blog/2006/01/wmf-security-hole-take-action.html

    “…Microsoft’s official position on what it calls ‘third-party patches’ amounts to: ‘It is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software.’

    Even Scobe seems to be toeing the party line.

    However, as F-Secure points out: ‘Ilfak Guilfanov isn’t just anybody. He’s the main author of IDA (Interactive Disassembler Pro) and is arguably one of the best low-level Windows experts in the world.’

    Be careful out there.”

    Like

  49. I believe that MS should give money to all the people that can prove proof of purchase for Spyware/Malware removal/detection software that irradicated this problem. MS is just letting its Windows product die a slow and painful PR death by not deploying this fix in a timely manner.

    Like

  50. I believe that MS should give money to all the people that can prove proof of purchase for Spyware/Malware removal/detection software that irradicated this problem. MS is just letting its Windows product die a slow and painful PR death by not deploying this fix in a timely manner.

    Like

  51. Pingback: Richi'Blog

  52. So I guess no alarms for everyone to use Ilfak Guilfanov’s patch? And no dissing Microsoft for allowing a gap? Or the seemingly (allegedly) conflict of interest per OneCare?

    Would it help if Gay Rights were being violated? Or if religious literature was being distributed? Or if some lock company wasn’t responding to bloggers demands? Or if some site didn’t use RSS?

    Noticing a theme here, come out strong when news is still hazy (China, WMF), then retreat into a blank zone, pointing to others that parrot the party line, and then move onto some other crisis of the moment, hoping everyone will forget, And then when all the dust settles can point back to the ‘hot zone post’ and claim credit for it all. I guess nothing knew, Microsoft managers are quite infamous for taking credit for other people’s work (even internally).

    Flame up, wimp out, move on, blog on, come back and take credit if it goes your way, if not well use the boilerplate excuse of “all the more reason for me to be here.”

    Snarky and cynical? Yup. 🙂

    Like

  53. So I guess no alarms for everyone to use Ilfak Guilfanov’s patch? And no dissing Microsoft for allowing a gap? Or the seemingly (allegedly) conflict of interest per OneCare?

    Would it help if Gay Rights were being violated? Or if religious literature was being distributed? Or if some lock company wasn’t responding to bloggers demands? Or if some site didn’t use RSS?

    Noticing a theme here, come out strong when news is still hazy (China, WMF), then retreat into a blank zone, pointing to others that parrot the party line, and then move onto some other crisis of the moment, hoping everyone will forget, And then when all the dust settles can point back to the ‘hot zone post’ and claim credit for it all. I guess nothing knew, Microsoft managers are quite infamous for taking credit for other people’s work (even internally).

    Flame up, wimp out, move on, blog on, come back and take credit if it goes your way, if not well use the boilerplate excuse of “all the more reason for me to be here.”

    Snarky and cynical? Yup. 🙂

    Like

  60. This is just another reason why I won’t be using my Windows XP computer anymore and sticking with my PowerBook for everything. I finally pulled the power-cord from the wall and disconnected the keyboard and mouse. I’m lucky my IT department has allowed me to install Firefox, which will help protect me from this security problem. I can’t wait until the MacIntel computers are released! Viva la Mac!

    Like

  61. This is just another reason why I won’t be using my Windows XP computer anymore and sticking with my PowerBook for everything. I finally pulled the power-cord from the wall and disconnected the keyboard and mouse. I’m lucky my IT department has allowed me to install Firefox, which will help protect me from this security problem. I can’t wait until the MacIntel computers are released! Viva la Mac!

    Like

Comments are closed.