Microsoft releases WMF update

Ladies and gentlemen, update your computers!Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006, in response to malicious and criminal attacks on computer users that were discovered last week.

Microsoft will release the update today on Thursday, January 5, 2006, earlier than planned.

Update, my brother says “Point? That Microsoft is more responsive than people want to give them credit for.” That was in reaction to Ed Bott’s comparison of Microsoft updates with Firefox updates.

49 thoughts on “Microsoft releases WMF update

  1. Kudos to the security team and management for their flexibility (and PR, no doubt, for raising the roof). Let’s hope it stems all future code execution through graphic files (sheesh!).

    I’m still a little dismayed at the security statements that this isn’t a critical matter for the legacy OSs…

    Like

  2. Kudos to the security team and management for their flexibility (and PR, no doubt, for raising the roof). Let’s hope it stems all future code execution through graphic files (sheesh!).

    I’m still a little dismayed at the security statements that this isn’t a critical matter for the legacy OSs…

    Like

  3. Robert, is Good but yet not good !!

    good that MSFT is being rapidly active
    Not Good that MSFT did note complete pa roper rsik assessment on WMF format before production service

    !!!!!

    Like

  4. Robert, is Good but yet not good !!

    good that MSFT is being rapidly active
    Not Good that MSFT did note complete pa roper rsik assessment on WMF format before production service

    !!!!!

    Like

  5. Kudos to Microsoft for going forward with a release out of cycle from the “patch Tuesday” routine. That was warranted. But as much credit goes to SANS for the pressure on Microsoft to do this. If SANS hadn’t been as vocal about it, it would not have rolled early. SANS reputation added pressure to Microsoft to perfom, and kudos to MS for stepping up and showing they can when the pressure is on.

    Like

  6. Kudos to Microsoft for going forward with a release out of cycle from the “patch Tuesday” routine. That was warranted. But as much credit goes to SANS for the pressure on Microsoft to do this. If SANS hadn’t been as vocal about it, it would not have rolled early. SANS reputation added pressure to Microsoft to perfom, and kudos to MS for stepping up and showing they can when the pressure is on.

    Like

  7. Hold the phone.. Kudos? For remedying a really bonehead bug? How about shooting the idiot who thought that the windows metafile was a good idea in the first place?

    Like

  8. Hold the phone.. Kudos? For remedying a really bonehead bug? How about shooting the idiot who thought that the windows metafile was a good idea in the first place?

    Like

  9. Jonathon,

    Windows will NEVER get a real security model. The hope it once had of being as securable as VMS was dashed when Cutler’s work was botched by the Evil Empire. “Security” in windows will never get beyond the hand-waving and pretending level, and that is why Linux will replace it on the server, and ordinary desktop users will just continue to suffer until they wise up and buy a Mac.

    Like

  10. Jonathon,

    Windows will NEVER get a real security model. The hope it once had of being as securable as VMS was dashed when Cutler’s work was botched by the Evil Empire. “Security” in windows will never get beyond the hand-waving and pretending level, and that is why Linux will replace it on the server, and ordinary desktop users will just continue to suffer until they wise up and buy a Mac.

    Like

  11. Good to see they can jump through their tails when they need to. A bit sad to see them need to so often. Ounce of prevention and all that.

    Like

  12. Good to see they can jump through their tails when they need to. A bit sad to see them need to so often. Ounce of prevention and all that.

    Like

  13. “Microsoft is more responsive than people give them credit for”.

    Great cheerleading. You almost had me started.

    The exploit was made public weeks earlier, just as Microsoft’s employees go on vacation. That’s “made public” – it was probably being used by blackhats for months before to steal data from people’s computers without anybody’s knowledge. Within hours, exploit code was widely available.

    For an exploit code that affects every version of Windows from 3.1 to 2003 64-bit server edition, Microsoft’s security response was far from good.

    During the holidays, Microsoft employees blogged about it like they were more interested in going on vacation than fixing the problem:
    http://blogs.technet.com/msrc/archive/2005/12/30/416694.aspx

    “Hey, happy new year!”
    “Everything’s cool!”
    “There’s NO WAY you could get hit, guys!”
    “We know about the problem!”
    “Uh, yeah, we’re ‘working’ with antivirus companies on the problem.” (like they are responsible for it at all)
    “Have a safe and happy New Year!”

    Let’s not get carried away, especially since the fix became available from third-party sources (doing most of the work for Microsoft) well before it was made available from Windowsupdate.

    What was the reward for those brave souls who came forward to fix the problem for a company with a monopoly and $50 billion in the bank? Microsoft discouraged people from installing an “unapproved” patch.

    Like

  14. “Microsoft is more responsive than people give them credit for”.

    Great cheerleading. You almost had me started.

    The exploit was made public weeks earlier, just as Microsoft’s employees go on vacation. That’s “made public” – it was probably being used by blackhats for months before to steal data from people’s computers without anybody’s knowledge. Within hours, exploit code was widely available.

    For an exploit code that affects every version of Windows from 3.1 to 2003 64-bit server edition, Microsoft’s security response was far from good.

    During the holidays, Microsoft employees blogged about it like they were more interested in going on vacation than fixing the problem:
    http://blogs.technet.com/msrc/archive/2005/12/30/416694.aspx

    “Hey, happy new year!”
    “Everything’s cool!”
    “There’s NO WAY you could get hit, guys!”
    “We know about the problem!”
    “Uh, yeah, we’re ‘working’ with antivirus companies on the problem.” (like they are responsible for it at all)
    “Have a safe and happy New Year!”

    Let’s not get carried away, especially since the fix became available from third-party sources (doing most of the work for Microsoft) well before it was made available from Windowsupdate.

    What was the reward for those brave souls who came forward to fix the problem for a company with a monopoly and $50 billion in the bank? Microsoft discouraged people from installing an “unapproved” patch.

    Like

  15. Robert, if you’ve already installed the unauthorized patch from Hexblog, how do you handle the official version? Will Microsoft release any info on this?

    Like

  16. Robert, if you’ve already installed the unauthorized patch from Hexblog, how do you handle the official version? Will Microsoft release any info on this?

    Like

  17. Claiming victory on this one is the absolute height of indifferent arrogance, humility is seriously in order. But in the parallel universe that is the Redmond bubble zone, any disaster always has happy spin doctors working overtime to polish the story and send out talking points (that the bloggers and zealots eat up).

    So don’t go smug, if (they) do I just might zap my biggie Air Force systems friend a little memo’ed ‘APB’. (Member that Air Force splash from years past? Just took a domino push. 😉 About the same timeframe as the Kim Kommando and NEC Tablet blowout). Ahh, fun roller coaster times, that.

    Like

  18. Claiming victory on this one is the absolute height of indifferent arrogance, humility is seriously in order. But in the parallel universe that is the Redmond bubble zone, any disaster always has happy spin doctors working overtime to polish the story and send out talking points (that the bloggers and zealots eat up).

    So don’t go smug, if (they) do I just might zap my biggie Air Force systems friend a little memo’ed ‘APB’. (Member that Air Force splash from years past? Just took a domino push. 😉 About the same timeframe as the Kim Kommando and NEC Tablet blowout). Ahh, fun roller coaster times, that.

    Like

  19. From Ars Technica:

    “The bug is found in all versions of Windows from 98 to XP, and affects both the Windows 95 and NT codebases. Unfortunately, users of Windows 98, 98 SE, or ME can do little more than punt, as the patch is not available for those operating systems. Microsoft only updates older OSs if it judges a security issue as critical, and it has found a loophole in its own rules by simply declaring the issue “not critical” for that particular software.

    Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions.”

    Bwahahaha.

    Also, this is kind of a misleading play on dates:

    “Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006…”

    …this should be: …announced on January 2, 2006 that a patch to fix a critical issue that was found on December 27, 2005 would be available on January 10, 2006. This date was pushed up to January 5, 2006.

    10 days wouldn’t be too bad if this was a non-critical exploit. I, and many others, would appreciate a quicker turn-around time.

    Like

  20. From Ars Technica:

    “The bug is found in all versions of Windows from 98 to XP, and affects both the Windows 95 and NT codebases. Unfortunately, users of Windows 98, 98 SE, or ME can do little more than punt, as the patch is not available for those operating systems. Microsoft only updates older OSs if it judges a security issue as critical, and it has found a loophole in its own rules by simply declaring the issue “not critical” for that particular software.

    Although Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do contain the affected component, the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions.”

    Bwahahaha.

    Also, this is kind of a misleading play on dates:

    “Microsoft announced that it would release a security update to help protect customers from exploitations of a vulnerability in the Windows Meta File (WMF) area of code in the Windows operating system on Tuesday, January 2, 2006…”

    …this should be: …announced on January 2, 2006 that a patch to fix a critical issue that was found on December 27, 2005 would be available on January 10, 2006. This date was pushed up to January 5, 2006.

    10 days wouldn’t be too bad if this was a non-critical exploit. I, and many others, would appreciate a quicker turn-around time.

    Like

  21. The whole “We’ll update on 10 Jan” was stupid to begin with. When you have a bug that people are getting attacked through, you don’t pick an arbitrary date. You release the patch the very nanosecond it’s ready.

    You know, for all the PR money MS spends, they’re really quite stupid about the “Relations” part.

    Like

  22. The whole “We’ll update on 10 Jan” was stupid to begin with. When you have a bug that people are getting attacked through, you don’t pick an arbitrary date. You release the patch the very nanosecond it’s ready.

    You know, for all the PR money MS spends, they’re really quite stupid about the “Relations” part.

    Like

  23. Read the rest of the comments on Ed Bott’s Blog. The flaw he cited was nowhere near as dangerous as the WMF exploit. I would not have made the comparisons he did.

    I would also point out that his use of this example is very typical of the ignorance exhibited by many Microsoft advocates: counting fixes instead of the severity of the flaws. A more careful analysis will show that Microsoft’s service is nothing to brag about.

    Don’t misunderstand me, I integrate and specify Microsoft products at work every day. They have a GUI which is second to nobody, and a pretty nice program development environment in Visual Studio. Security is there, though it’s hardly used due to the cultural history of the transition from some poor long term choices in earlier 16 bit Windows releases.

    Ultimately, it’s a good client machine. As as server, it’s very easy to set up, but too insecure for me to consider using it on the Internet.

    I am dismayed by the very stilted perspectives many exhibit on this issue. Yes, this was a Zero Day exploit. We can argue forever about whether this or that system architechture favors such flaws. What I care about is responsiveness. This was a nasty flaw. It will continue to haunt unpatched Microsoft platforms for many months to come. As responsive as Microsoft was, others have done much better. There is room for improvement here and all of the apologists out there ought to acknowledge that fact.

    Like

  24. Read the rest of the comments on Ed Bott’s Blog. The flaw he cited was nowhere near as dangerous as the WMF exploit. I would not have made the comparisons he did.

    I would also point out that his use of this example is very typical of the ignorance exhibited by many Microsoft advocates: counting fixes instead of the severity of the flaws. A more careful analysis will show that Microsoft’s service is nothing to brag about.

    Don’t misunderstand me, I integrate and specify Microsoft products at work every day. They have a GUI which is second to nobody, and a pretty nice program development environment in Visual Studio. Security is there, though it’s hardly used due to the cultural history of the transition from some poor long term choices in earlier 16 bit Windows releases.

    Ultimately, it’s a good client machine. As as server, it’s very easy to set up, but too insecure for me to consider using it on the Internet.

    I am dismayed by the very stilted perspectives many exhibit on this issue. Yes, this was a Zero Day exploit. We can argue forever about whether this or that system architechture favors such flaws. What I care about is responsiveness. This was a nasty flaw. It will continue to haunt unpatched Microsoft platforms for many months to come. As responsive as Microsoft was, others have done much better. There is room for improvement here and all of the apologists out there ought to acknowledge that fact.

    Like

  25. You know, for all the PR money MS spends, they’re really quite stupid about the “Relations” part.

    Yeah, never (quite) understood that part, PR crisis after PR crisis, granted the Media pays 10 times more attention to anything they do, but after awhile you’d figure they’d learn to sing. Half the fault can be placed on Wagged, in not having to fight for the account and sending forth legions of poorly trained newly-minted college-grads as frontline cannon-fodder troops. Volumes and volumes could be written on press hate of Wagged, as half the time it’s not Microsoft itself, rather it’s the Devilish minions doing their bidding.

    But on one of my early Pocket PC era visits to the Campus (back when I was loved and adored, instead of hated and libeled), and seeing how Microsoft employees treated their contractors and other ‘wrong color’ Badger’s, in front of a gaggle of press no less (i.e. like slaves) quite Medieval actually, it sort of all crystallized for me. They see themselves as super-humans, an elite race above and beyond normal mere mortals. Badge racism as an art form. Basically it comes down to a geek form of Aryanism.

    The ‘ends justifies the means’, their far-off visions are so important, so needed for the future development of mankind, everything else is a mere flippant triffle, the public be damned. Such can be a great programmer motivation, but they take it all too seriously, constantly instilling that Microsoft only hires the best, therefore you are the best strain of humanity itself. (Well, not everyone parrots the line, as Mini-Microsoft shows).

    Like

  26. You know, for all the PR money MS spends, they’re really quite stupid about the “Relations” part.

    Yeah, never (quite) understood that part, PR crisis after PR crisis, granted the Media pays 10 times more attention to anything they do, but after awhile you’d figure they’d learn to sing. Half the fault can be placed on Wagged, in not having to fight for the account and sending forth legions of poorly trained newly-minted college-grads as frontline cannon-fodder troops. Volumes and volumes could be written on press hate of Wagged, as half the time it’s not Microsoft itself, rather it’s the Devilish minions doing their bidding.

    But on one of my early Pocket PC era visits to the Campus (back when I was loved and adored, instead of hated and libeled), and seeing how Microsoft employees treated their contractors and other ‘wrong color’ Badger’s, in front of a gaggle of press no less (i.e. like slaves) quite Medieval actually, it sort of all crystallized for me. They see themselves as super-humans, an elite race above and beyond normal mere mortals. Badge racism as an art form. Basically it comes down to a geek form of Aryanism.

    The ‘ends justifies the means’, their far-off visions are so important, so needed for the future development of mankind, everything else is a mere flippant triffle, the public be damned. Such can be a great programmer motivation, but they take it all too seriously, constantly instilling that Microsoft only hires the best, therefore you are the best strain of humanity itself. (Well, not everyone parrots the line, as Mini-Microsoft shows).

    Like

  27. > The flaw he cited was nowhere near as dangerous as the WMF exploit. I would not have made the comparisons he did.

    Jake, see my follow-up post (linked from the original post), which contains an example of a “highly critical” Firefox bug with working exploit code in the wild. Guess how long it took to get patched?

    http://www.edbott.com/weblog/?p=1207

    The point is not that Firefox sucks, too. The point is that it takes time to patch a complex piece of software. That’s true of Windows and Firefox alike.

    Like

  28. > The flaw he cited was nowhere near as dangerous as the WMF exploit. I would not have made the comparisons he did.

    Jake, see my follow-up post (linked from the original post), which contains an example of a “highly critical” Firefox bug with working exploit code in the wild. Guess how long it took to get patched?

    http://www.edbott.com/weblog/?p=1207

    The point is not that Firefox sucks, too. The point is that it takes time to patch a complex piece of software. That’s true of Windows and Firefox alike.

    Like

  29. “Microsoft announced that it would release… …on Tuesday, January 2, 2006”

    “Microsoft will release the update today on Thursday, January 5, 2006, ***earlier than planned.***”

    what?

    Like

  30. “Microsoft announced that it would release… …on Tuesday, January 2, 2006”

    “Microsoft will release the update today on Thursday, January 5, 2006, ***earlier than planned.***”

    what?

    Like

  31. Pingback: Iggy Uncensored
  32. I’ve been tracking this one since the first SANS alert, and I’m somewhat surprised by the ms response.

    In the initial security bulletin it was a moderate vulnerability, and people were advised to deregister the dll (even though it is quite possible for the dll to be reregistered or called directly). And given stupid advise like not to surf on unfamiliar websites or something.

    The SANS people noted that this has a potential for disaster and even went so far as to advise people to install an unofficial patch (which we didn’t apply after lengthy corporate discussion, we stuck to having the DLL deregister command in the logon scripts and sending out warning mails and praying traveling users would not have their machines rooted).

    And then MS quietly releases a critical patch out of cycle despite what was said earlier. It just seems sloppy, and the downplaying of such a severe security hole for what can only be PR reasons is downright stupid.

    Like

  33. I’ve been tracking this one since the first SANS alert, and I’m somewhat surprised by the ms response.

    In the initial security bulletin it was a moderate vulnerability, and people were advised to deregister the dll (even though it is quite possible for the dll to be reregistered or called directly). And given stupid advise like not to surf on unfamiliar websites or something.

    The SANS people noted that this has a potential for disaster and even went so far as to advise people to install an unofficial patch (which we didn’t apply after lengthy corporate discussion, we stuck to having the DLL deregister command in the logon scripts and sending out warning mails and praying traveling users would not have their machines rooted).

    And then MS quietly releases a critical patch out of cycle despite what was said earlier. It just seems sloppy, and the downplaying of such a severe security hole for what can only be PR reasons is downright stupid.

    Like

Comments are closed.