Linked by Thom Holwerda on Thu 5th Jan 2006 21:24 UTC
Windows Microsoft has officially released the patch that fixes the WMF flaw. The patch can be download individually here, but it is advised to simply use Windows Update. Yesterday, Microsoft said it would not release it until next Tuesday, but two (1 | 2) third party fixes were already available. And to make matters worse, Microsoft accidentally leaked their own patch to the Net yesterday.
Thread beginning with comment 82245
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: how?
by Resolution on Thu 5th Jan 2006 22:26 UTC in reply to "how?"
Resolution
Member since:
2005-11-14

Because response time should be measured in hours, not weeks. When over 100 varients of an unpatched exploit are out in the wild, and you still haven't released a patch, then yeah, you are late.

Reply Parent Score: 5

RE[2]: how?
by nemith on Thu 5th Jan 2006 23:20 in reply to "RE: how?"
nemith Member since:
2005-07-28

I would love to see a Dev, QA, and release team release a patch to an operation system in a couple of hours.

I am sorry, this isn't linux where you are QA and release team.

Reply Parent Score: 3

RE[3]: how?
by dylansmrjones on Fri 6th Jan 2006 14:36 in reply to "RE[2]: how?"
dylansmrjones Member since:
2005-10-02

Correct. And that's the problem apparently ;)

A week is a week too late for anything this serious.

Reply Parent Score: 1

RE[2]: how?
by ivans on Fri 6th Jan 2006 11:47 in reply to "RE: how?"
ivans Member since:
2005-12-03

You had 2 different unofficial patches, from Ilfak and ESET that work flawlessly, the first one being released in a couple of hours, packed inside MSI so that it could easily be distributed via group policy.

You had at least one workaround (unregistering shimgvw.dll) that COMPLETELY mitigates this vulnerability.

You have several AntiViruses reportedly (http://www.av-test.org) blocking EVERY exploit variant (206 known exploit were tested), and some of them are even FREE for home use (ClamAV even for corporate).

You have snort signatures (http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENT...), and a known list of web sites distributing the exploits that every cabable admin blocked access to.

Most e-mail clients (I use gmail) won't even show images from unknown sources, and the only way to get infected is _manually_ visiting malicious XXX/warez site with exploit.

So tell me how is this "late", when the bug isn't even remotely exploitable without manual interaction. I just installed MS hotfix and gdi32.dll has a timestamp on December 28th, what means that MS fixed this bug almost IMMEDIATELY, and the only think that got it delayed was thoroughly testing it required in the lab.

Windows core components are not Firefox 1.0.x, when new versions were built just to get around broken extensions. What would you tell your customers if Mozilla broke some APIs your mission-critical application required?

Microsof has the right balance between security and reliability it guarantees to it's customers. This WMF flaw is nothing serious, just a media-overhyped minor bug that came in an unfortunate time of holidays when IT news are generaly lacking. You see no high-profile worm propagating with this bug, because it is nothing serious.

Reply Parent Score: 3

RE[3]: how?
by Anonymous. on Fri 6th Jan 2006 16:43 in reply to "RE[2]: how?"
Anonymous. Member since:
2005-12-04

This WMF flaw is nothing serious, just a media-overhyped minor bug that came in an unfortunate time of holidays when IT news are generaly lacking.

hmm...
* the flaw allows remote execution of code
* windows has several known unfixed privilege escalation vulnerabilities ( http://secunia.com/advisories/11633/ for example)

how can this be "overhyped"? even most "careful" users can have their system completely compromised by this bug...

Reply Parent Score: 1