«

Microsoft will be releasing the update (MS06-001) for the WMF vulnerability
today at 2pm PST (11am NZ time). PC's configured for automatic updating will
receive the update without additional user intervention or customers can
visit http://update.microsoft.com to initiate a manual update process.

There is additional information on the vulnerability at
http://www.microsoft.com/technet/sec...ry/912840.mspx

Brett Roberts
Microsoft NZ

And now for a message from our legal people:
** this post is provided "AS IS" with no warranties, and confers no rights
**

"Brett Roberts" <> wrote in message
news:43bd84b6$...
> Microsoft will be releasing the update (MS06-001) for the WMF
> vulnerability today at 2pm PST (11am NZ time). PC's configured for
> automatic updating will receive the update without additional user
> intervention or customers can visit http://update.microsoft.com to
> initiate a manual update process.
>
> There is additional information on the vulnerability at
> http://www.microsoft.com/technet/sec...ry/912840.mspx
>
> Brett Roberts
> Microsoft NZ
>
> And now for a message from our legal people:
> ** this post is provided "AS IS" with no warranties, and confers no rights
> **
>

FYI, I've just checked the Windows Update site and the patch is available
*now*

Brett

On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:

> "Brett Roberts" <> wrote in message
> news:43bd84b6$...
>> Microsoft will be releasing the update (MS06-001) for the WMF
>> vulnerability today at 2pm PST (11am NZ time). PC's configured for
>> automatic updating will receive the update without additional user
>> intervention or customers can visit http://update.microsoft.com to
>> initiate a manual update process.
>>
>> There is additional information on the vulnerability at
>> http://www.microsoft.com/technet/sec...ry/912840.mspx
>>
>> Brett Roberts
>> Microsoft NZ
>>
>> And now for a message from our legal people: ** this post is provided
>> "AS IS" with no warranties, and confers no rights **
>>
>>
> FYI, I've just checked the Windows Update site and the patch is available
> *now*
>
> Brett

gosh.. only a week too late

--
BOFH excuse #231:

We had to turn off that service to comply with the CDA Bill.

"Shane" <> wrote in message
news...
> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
>
>> "Brett Roberts" <> wrote in message
>> news:43bd84b6$...
>>> Microsoft will be releasing the update (MS06-001) for the WMF
>>> vulnerability today at 2pm PST (11am NZ time). PC's configured for
>>> automatic updating will receive the update without additional user
>>> intervention or customers can visit http://update.microsoft.com to
>>> initiate a manual update process.
>>>
>>> There is additional information on the vulnerability at
>>> http://www.microsoft.com/technet/sec...ry/912840.mspx
>>>
>>> Brett Roberts
>>> Microsoft NZ
>>>
>>> And now for a message from our legal people: ** this post is provided
>>> "AS IS" with no warranties, and confers no rights **
>>>
>>>
>> FYI, I've just checked the Windows Update site and the patch is available
>> *now*
>>
>> Brett
>
> gosh.. only a week too late
>
> --
> BOFH excuse #231:
>
> We had to turn off that service to comply with the CDA Bill.
>

It takes a finite amount of time to build and test a patch. This particular
one covers 23 language variants and was tested against approximately 1000 PC
configurations.

On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:

> "Shane" <> wrote in message
> news...
>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
>>
>>> "Brett Roberts" <> wrote in message
>>> news:43bd84b6$...
>>>> Microsoft will be releasing the update (MS06-001) for the WMF
>>>> vulnerability today at 2pm PST (11am NZ time). PC's configured for
>>>> automatic updating will receive the update without additional user
>>>> intervention or customers can visit http://update.microsoft.com to
>>>> initiate a manual update process.
>>>>
>>>> There is additional information on the vulnerability at
>>>> http://www.microsoft.com/technet/sec...ry/912840.mspx
>>>>
>>>> Brett Roberts
>>>> Microsoft NZ
>>>>
>>>> And now for a message from our legal people: ** this post is provided
>>>> "AS IS" with no warranties, and confers no rights **
>>>>
>>>>
>>> FYI, I've just checked the Windows Update site and the patch is
>>> available *now*
>>>
>>> Brett
>>
>> gosh.. only a week too late
>>
>> --
>> BOFH excuse #231:
>>
>> We had to turn off that service to comply with the CDA Bill.
>>
>>
> It takes a finite amount of time to build and test a patch. This
> particular one covers 23 language variants and was tested against
> approximately 1000 PC configurations.

Yeah.. I saw another company managed it in less time
(Without any source code from Microsoft as well)

--
A pain in the ass of major dimensions.
-- C.A. Desoer, on the solution of non-linear circuits

On Fri, 06 Jan 2006 10:05:35 +1300, Shane wrote:

> On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
>
>> "Shane" <> wrote in message
>> news...
>>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
>>>
>>>> "Brett Roberts" <> wrote in message
>>>> news:43bd84b6$...
>>>>> Microsoft will be releasing the update (MS06-001) for the WMF
>>>>> vulnerability today at 2pm PST (11am NZ time). PC's configured for
>>>>> automatic updating will receive the update without additional user
>>>>> intervention or customers can visit http://update.microsoft.com to
>>>>> initiate a manual update process.
>>>>>
>>>>> There is additional information on the vulnerability at
>>>>> http://www.microsoft.com/technet/sec...ry/912840.mspx
>>>>>
>>>>> Brett Roberts
>>>>> Microsoft NZ
>>>>>
>>>>> And now for a message from our legal people: ** this post is provided
>>>>> "AS IS" with no warranties, and confers no rights **
>>>>>
>>>>>
>>>> FYI, I've just checked the Windows Update site and the patch is
>>>> available *now*
>>>>
>>>> Brett
>>>
>>> gosh.. only a week too late
>>>
>>> --
>>> BOFH excuse #231:
>>>
>>> We had to turn off that service to comply with the CDA Bill.
>>>
>>>
>> It takes a finite amount of time to build and test a patch. This
>> particular one covers 23 language variants and was tested against
>> approximately 1000 PC configurations.
>
> Yeah.. I saw another company managed it in less time (Without any source
> code from Microsoft as well)

Released here
http://www.hexblog.com/

http://www.crn.com/sections/breaking...leId=175801253
On one side stand a pair of well-known security organizations -- SANS Institute's
Internet Storm Center (ISC), and Helsinki-based security company F-Secure
-- that have been among the most active in researching the WMF
vulnerability and tracking its exploits.

The Guilfanov hotfix has been blessed by both.

"Install the patch," said Mikko Hypponen, F-Secure's chief research
officer. "We've tested and audited it and can recommend it. We're running
it on all of our own Windows machines."

--
Machine Always Crashes, If Not, The Operating System Hangs (MACINTOSH)
-- Topic on #Linux

On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:

>>> FYI, I've just checked the Windows Update site and the patch is available
>>> *now*
>>
>> gosh.. only a week too late
>
> It takes a finite amount of time to build and test a patch. This particular
> one covers 23 language variants and was tested against approximately 1000 PC
> configurations.

Why does it take Micro$oft so long to fix such a serious flaw? And yet at
least one other organisation that cannot have the use of the original
source code was able to produce, test, and release an effective
unofficial patch against this flaw nearly a week before Micro$oft could?

Looks like either Micro$oft truly does not care about these matters, or
Micro$oft has become a lumbering clumsy sloth, incapable of doing anything
efficiently and expeditiously.

Or maybe... both!


If you want a secure system: use Linux.

If you want a modern, fully up-to-date, rapidly developed and updated
system: use Linux.

If you want exclusive control over what your computer does: use Linux.

If you want to be forever bound to the one vendor, and be forever locked
into a merrygoround of paying for software "upgrades" merely to be able to
read files written by other people using different iterations of the same
software: Use Micro$oft!

If you want to be forever needing to use anti-virus software: use
Micro$oft.


Undeniably Sluttish

--
"Simply opening the wrong Web page or receiving an e-mail with an errant
image file could be enough to cripple your computer, thanks to a newly
discovered vulnerability in the Microsoft Windows operating systems."

"Shane" <> wrote in message
news...
> On Fri, 06 Jan 2006 10:05:35 +1300, Shane wrote:
>
>> On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
>>
>>> "Shane" <> wrote in message
>>> news...
>>>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
>>>>
>>>>> "Brett Roberts" <> wrote in
>>>>> message
>>>>> news:43bd84b6$...
>>>>>> Microsoft will be releasing the update (MS06-001) for the WMF
>>>>>> vulnerability today at 2pm PST (11am NZ time). PC's configured
>>>>>> for
>>>>>> automatic updating will receive the update without additional
>>>>>> user
>>>>>> intervention or customers can visit http://update.microsoft.com
>>>>>> to
>>>>>> initiate a manual update process.
>>>>>>
>>>>>> There is additional information on the vulnerability at
>>>>>> http://www.microsoft.com/technet/sec...ry/912840.mspx
>>>>>>
>>>>>> Brett Roberts
>>>>>> Microsoft NZ
>>>>>>
>>>>>> And now for a message from our legal people: ** this post is
>>>>>> provided
>>>>>> "AS IS" with no warranties, and confers no rights **
>>>>>>
>>>>>>
>>>>> FYI, I've just checked the Windows Update site and the patch is
>>>>> available *now*
>>>>>
>>>>> Brett
>>>>
>>>> gosh.. only a week too late
>>>>
>>>> --
>>>> BOFH excuse #231:
>>>>
>>>> We had to turn off that service to comply with the CDA Bill.
>>>>
>>>>
>>> It takes a finite amount of time to build and test a patch. This
>>> particular one covers 23 language variants and was tested against
>>> approximately 1000 PC configurations.
>>
>> Yeah.. I saw another company managed it in less time (Without any
>> source
>> code from Microsoft as well)

>
> Released here
> http://www.hexblog.com/
>
> http://www.crn.com/sections/breaking...leId=175801253
> On one side stand a pair of well-known security organizations --
> SANS Institute's
> Internet Storm Center (ISC), and Helsinki-based security company
> F-Secure
> -- that have been among the most active in researching the WMF
> vulnerability and tracking its exploits.
>
> The Guilfanov hotfix has been blessed by both.
>
> "Install the patch," said Mikko Hypponen, F-Secure's chief research
> officer. "We've tested and audited it and can recommend it. We're
> running
> it on all of our own Windows machines."
>

Whoops! You left something out:

"Jonah Paransky, a senior manager with Symantec's security response
team, gave even clearer advice. "There's a significant risk to putting
a third-party patch on enterprise systems," he said. "In our view,
it's a move of last resort."

On Thu, 05 Jan 2006 16:36:38 -0500, Impossible wrote:

> "Shane" <> wrote in message
> news...
>> On Fri, 06 Jan 2006 10:05:35 +1300, Shane wrote:
>>
>>> On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
>>>
>>>> "Shane" <> wrote in message
>>>> news...
>>>>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
>>>>>
>>>>>> "Brett Roberts" <> wrote in message
>>>>>> news:43bd84b6$...
>>>>>>> Microsoft will be releasing the update (MS06-001) for the WMF
>>>>>>> vulnerability today at 2pm PST (11am NZ time). PC's configured for
>>>>>>> automatic updating will receive the update without additional user
>>>>>>> intervention or customers can visit http://update.microsoft.com to
>>>>>>> initiate a manual update process.
>>>>>>>
>>>>>>> There is additional information on the vulnerability at
>>>>>>> http://www.microsoft.com/technet/sec...ry/912840.mspx
>>>>>>>
>>>>>>> Brett Roberts
>>>>>>> Microsoft NZ
>>>>>>>
>>>>>>> And now for a message from our legal people: ** this post is
>>>>>>> provided
>>>>>>> "AS IS" with no warranties, and confers no rights **
>>>>>>>
>>>>>>>
>>>>>> FYI, I've just checked the Windows Update site and the patch is
>>>>>> available *now*
>>>>>>
>>>>>> Brett
>>>>>
>>>>> gosh.. only a week too late
>>>>>
>>>>> --
>>>>> BOFH excuse #231:
>>>>>
>>>>> We had to turn off that service to comply with the CDA Bill.
>>>>>
>>>>>
>>>> It takes a finite amount of time to build and test a patch. This
>>>> particular one covers 23 language variants and was tested against
>>>> approximately 1000 PC configurations.
>>>
>>> Yeah.. I saw another company managed it in less time (Without any
>>> source
>>> code from Microsoft as well)
>
>
>> Released here
>> http://www.hexblog.com/
>>
>> http://www.crn.com/sections/breaking...leId=175801253
>> On one side stand a pair of well-known security organizations -- SANS
>> Institute's
>> Internet Storm Center (ISC), and Helsinki-based security company
>> F-Secure
>> -- that have been among the most active in researching the WMF
>> vulnerability and tracking its exploits.
>>
>> The Guilfanov hotfix has been blessed by both.
>>
>> "Install the patch," said Mikko Hypponen, F-Secure's chief research
>> officer. "We've tested and audited it and can recommend it. We're
>> running
>> it on all of our own Windows machines."
>>
>>
> Whoops! You left something out:
>
> "Jonah Paransky, a senior manager with Symantec's security response team,
> gave even clearer advice. "There's a significant risk to putting a
> third-party patch on enterprise systems," he said. "In our view, it's a
> move of last resort."

Theres two schools of thought
One, patch yourself with the third party [stable] patch
or .. wait for the vendor to release their patch (at the time of that
article Microsoft were saying that was at least ten days away)
With the level of risk that the wmf vulnerability presented, companys had
a choice... patch.. or dont do business on the web... whos paying
compensation do you think for the losses?

--
We are experiencing system trouble -- do not adjust your terminal.

< snip >

>>>>
>>> It takes a finite amount of time to build and test a patch. This
>>> particular one covers 23 language variants and was tested against
>>> approximately 1000 PC configurations.
>>
>> Yeah.. I saw another company managed it in less time (Without any source
>> code from Microsoft as well)
>
> Released here
> http://www.hexblog.com/
>
> http://www.crn.com/sections/breaking...leId=175801253
> On one side stand a pair of well-known security organizations -- SANS
> Institute's
> Internet Storm Center (ISC), and Helsinki-based security company F-Secure
> -- that have been among the most active in researching the WMF
> vulnerability and tracking its exploits.
>
> The Guilfanov hotfix has been blessed by both.
>
> "Install the patch," said Mikko Hypponen, F-Secure's chief research
> officer. "We've tested and audited it and can recommend it. We're running
> it on all of our own Windows machines."
>
> --
> Machine Always Crashes, If Not, The Operating System Hangs (MACINTOSH)
> -- Topic on #Linux
>

And judging by some of the comments posted at
http://castlecops.com/f212-hexblog.html one could possibly speculate that
the 3rd party patch wasn't tested for 23 language variants and approximately
1000 PC configurations.