Microsoft to release WMF vulnerability update TODAY

Discussion in 'NZ Computing' started by Brett Roberts, Jan 5, 2006.

  1. Microsoft will be releasing the update (MS06-001) for the WMF vulnerability
    today at 2pm PST (11am NZ time). PC's configured for automatic updating will
    receive the update without additional user intervention or customers can
    visit http://update.microsoft.com to initiate a manual update process.

    There is additional information on the vulnerability at
    http://www.microsoft.com/technet/security/advisory/912840.mspx

    Brett Roberts
    Microsoft NZ

    And now for a message from our legal people:
    ** this post is provided "AS IS" with no warranties, and confers no rights
    **
    Brett Roberts, Jan 5, 2006
    #1
    1. Advertising

  2. "Brett Roberts" <> wrote in message
    news:43bd84b6$...
    > Microsoft will be releasing the update (MS06-001) for the WMF
    > vulnerability today at 2pm PST (11am NZ time). PC's configured for
    > automatic updating will receive the update without additional user
    > intervention or customers can visit http://update.microsoft.com to
    > initiate a manual update process.
    >
    > There is additional information on the vulnerability at
    > http://www.microsoft.com/technet/security/advisory/912840.mspx
    >
    > Brett Roberts
    > Microsoft NZ
    >
    > And now for a message from our legal people:
    > ** this post is provided "AS IS" with no warranties, and confers no rights
    > **
    >


    FYI, I've just checked the Windows Update site and the patch is available
    *now*

    Brett
    Brett Roberts, Jan 5, 2006
    #2
    1. Advertising

  3. Brett Roberts

    Shane Guest

    On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:

    > "Brett Roberts" <> wrote in message
    > news:43bd84b6$...
    >> Microsoft will be releasing the update (MS06-001) for the WMF
    >> vulnerability today at 2pm PST (11am NZ time). PC's configured for
    >> automatic updating will receive the update without additional user
    >> intervention or customers can visit http://update.microsoft.com to
    >> initiate a manual update process.
    >>
    >> There is additional information on the vulnerability at
    >> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >>
    >> Brett Roberts
    >> Microsoft NZ
    >>
    >> And now for a message from our legal people: ** this post is provided
    >> "AS IS" with no warranties, and confers no rights **
    >>
    >>

    > FYI, I've just checked the Windows Update site and the patch is available
    > *now*
    >
    > Brett


    gosh.. only a week too late

    --
    BOFH excuse #231:

    We had to turn off that service to comply with the CDA Bill.
    Shane, Jan 5, 2006
    #3
  4. "Shane" <-a-geek.net> wrote in message
    news:p-a-geek.net...
    > On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
    >
    >> "Brett Roberts" <> wrote in message
    >> news:43bd84b6$...
    >>> Microsoft will be releasing the update (MS06-001) for the WMF
    >>> vulnerability today at 2pm PST (11am NZ time). PC's configured for
    >>> automatic updating will receive the update without additional user
    >>> intervention or customers can visit http://update.microsoft.com to
    >>> initiate a manual update process.
    >>>
    >>> There is additional information on the vulnerability at
    >>> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >>>
    >>> Brett Roberts
    >>> Microsoft NZ
    >>>
    >>> And now for a message from our legal people: ** this post is provided
    >>> "AS IS" with no warranties, and confers no rights **
    >>>
    >>>

    >> FYI, I've just checked the Windows Update site and the patch is available
    >> *now*
    >>
    >> Brett

    >
    > gosh.. only a week too late
    >
    > --
    > BOFH excuse #231:
    >
    > We had to turn off that service to comply with the CDA Bill.
    >


    It takes a finite amount of time to build and test a patch. This particular
    one covers 23 language variants and was tested against approximately 1000 PC
    configurations.
    Brett Roberts, Jan 5, 2006
    #4
  5. Brett Roberts

    Shane Guest

    On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:

    > "Shane" <-a-geek.net> wrote in message
    > news:p-a-geek.net...
    >> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
    >>
    >>> "Brett Roberts" <> wrote in message
    >>> news:43bd84b6$...
    >>>> Microsoft will be releasing the update (MS06-001) for the WMF
    >>>> vulnerability today at 2pm PST (11am NZ time). PC's configured for
    >>>> automatic updating will receive the update without additional user
    >>>> intervention or customers can visit http://update.microsoft.com to
    >>>> initiate a manual update process.
    >>>>
    >>>> There is additional information on the vulnerability at
    >>>> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >>>>
    >>>> Brett Roberts
    >>>> Microsoft NZ
    >>>>
    >>>> And now for a message from our legal people: ** this post is provided
    >>>> "AS IS" with no warranties, and confers no rights **
    >>>>
    >>>>
    >>> FYI, I've just checked the Windows Update site and the patch is
    >>> available *now*
    >>>
    >>> Brett

    >>
    >> gosh.. only a week too late
    >>
    >> --
    >> BOFH excuse #231:
    >>
    >> We had to turn off that service to comply with the CDA Bill.
    >>
    >>

    > It takes a finite amount of time to build and test a patch. This
    > particular one covers 23 language variants and was tested against
    > approximately 1000 PC configurations.


    Yeah.. I saw another company managed it in less time
    (Without any source code from Microsoft as well)

    --
    A pain in the ass of major dimensions.
    -- C.A. Desoer, on the solution of non-linear circuits
    Shane, Jan 5, 2006
    #5
  6. Brett Roberts

    Shane Guest

    On Fri, 06 Jan 2006 10:05:35 +1300, Shane wrote:

    > On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
    >
    >> "Shane" <-a-geek.net> wrote in message
    >> news:p-a-geek.net...
    >>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
    >>>
    >>>> "Brett Roberts" <> wrote in message
    >>>> news:43bd84b6$...
    >>>>> Microsoft will be releasing the update (MS06-001) for the WMF
    >>>>> vulnerability today at 2pm PST (11am NZ time). PC's configured for
    >>>>> automatic updating will receive the update without additional user
    >>>>> intervention or customers can visit http://update.microsoft.com to
    >>>>> initiate a manual update process.
    >>>>>
    >>>>> There is additional information on the vulnerability at
    >>>>> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >>>>>
    >>>>> Brett Roberts
    >>>>> Microsoft NZ
    >>>>>
    >>>>> And now for a message from our legal people: ** this post is provided
    >>>>> "AS IS" with no warranties, and confers no rights **
    >>>>>
    >>>>>
    >>>> FYI, I've just checked the Windows Update site and the patch is
    >>>> available *now*
    >>>>
    >>>> Brett
    >>>
    >>> gosh.. only a week too late
    >>>
    >>> --
    >>> BOFH excuse #231:
    >>>
    >>> We had to turn off that service to comply with the CDA Bill.
    >>>
    >>>

    >> It takes a finite amount of time to build and test a patch. This
    >> particular one covers 23 language variants and was tested against
    >> approximately 1000 PC configurations.

    >
    > Yeah.. I saw another company managed it in less time (Without any source
    > code from Microsoft as well)


    Released here
    http://www.hexblog.com/

    http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=175801253
    On one side stand a pair of well-known security organizations -- SANS Institute's
    Internet Storm Center (ISC), and Helsinki-based security company F-Secure
    -- that have been among the most active in researching the WMF
    vulnerability and tracking its exploits.

    The Guilfanov hotfix has been blessed by both.

    "Install the patch," said Mikko Hypponen, F-Secure's chief research
    officer. "We've tested and audited it and can recommend it. We're running
    it on all of our own Windows machines."

    --
    Machine Always Crashes, If Not, The Operating System Hangs (MACINTOSH)
    -- Topic on #Linux
    Shane, Jan 5, 2006
    #6
  7. On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:

    >>> FYI, I've just checked the Windows Update site and the patch is available
    >>> *now*

    >>
    >> gosh.. only a week too late

    >
    > It takes a finite amount of time to build and test a patch. This particular
    > one covers 23 language variants and was tested against approximately 1000 PC
    > configurations.


    Why does it take Micro$oft so long to fix such a serious flaw? And yet at
    least one other organisation that cannot have the use of the original
    source code was able to produce, test, and release an effective
    unofficial patch against this flaw nearly a week before Micro$oft could?

    Looks like either Micro$oft truly does not care about these matters, or
    Micro$oft has become a lumbering clumsy sloth, incapable of doing anything
    efficiently and expeditiously.

    Or maybe... both!


    If you want a secure system: use Linux.

    If you want a modern, fully up-to-date, rapidly developed and updated
    system: use Linux.

    If you want exclusive control over what your computer does: use Linux.

    If you want to be forever bound to the one vendor, and be forever locked
    into a merrygoround of paying for software "upgrades" merely to be able to
    read files written by other people using different iterations of the same
    software: Use Micro$oft!

    If you want to be forever needing to use anti-virus software: use
    Micro$oft.


    Undeniably Sluttish

    --
    "Simply opening the wrong Web page or receiving an e-mail with an errant
    image file could be enough to cripple your computer, thanks to a newly
    discovered vulnerability in the Microsoft Windows operating systems."
    Mr Undeniably Sluttish, Jan 5, 2006
    #7
  8. Brett Roberts

    Impossible Guest

    "Shane" <-a-geek.net> wrote in message
    news:p-a-geek.net...
    > On Fri, 06 Jan 2006 10:05:35 +1300, Shane wrote:
    >
    >> On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
    >>
    >>> "Shane" <-a-geek.net> wrote in message
    >>> news:p-a-geek.net...
    >>>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
    >>>>
    >>>>> "Brett Roberts" <> wrote in
    >>>>> message
    >>>>> news:43bd84b6$...
    >>>>>> Microsoft will be releasing the update (MS06-001) for the WMF
    >>>>>> vulnerability today at 2pm PST (11am NZ time). PC's configured
    >>>>>> for
    >>>>>> automatic updating will receive the update without additional
    >>>>>> user
    >>>>>> intervention or customers can visit http://update.microsoft.com
    >>>>>> to
    >>>>>> initiate a manual update process.
    >>>>>>
    >>>>>> There is additional information on the vulnerability at
    >>>>>> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >>>>>>
    >>>>>> Brett Roberts
    >>>>>> Microsoft NZ
    >>>>>>
    >>>>>> And now for a message from our legal people: ** this post is
    >>>>>> provided
    >>>>>> "AS IS" with no warranties, and confers no rights **
    >>>>>>
    >>>>>>
    >>>>> FYI, I've just checked the Windows Update site and the patch is
    >>>>> available *now*
    >>>>>
    >>>>> Brett
    >>>>
    >>>> gosh.. only a week too late
    >>>>
    >>>> --
    >>>> BOFH excuse #231:
    >>>>
    >>>> We had to turn off that service to comply with the CDA Bill.
    >>>>
    >>>>
    >>> It takes a finite amount of time to build and test a patch. This
    >>> particular one covers 23 language variants and was tested against
    >>> approximately 1000 PC configurations.

    >>
    >> Yeah.. I saw another company managed it in less time (Without any
    >> source
    >> code from Microsoft as well)


    >
    > Released here
    > http://www.hexblog.com/
    >
    > http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=175801253
    > On one side stand a pair of well-known security organizations --
    > SANS Institute's
    > Internet Storm Center (ISC), and Helsinki-based security company
    > F-Secure
    > -- that have been among the most active in researching the WMF
    > vulnerability and tracking its exploits.
    >
    > The Guilfanov hotfix has been blessed by both.
    >
    > "Install the patch," said Mikko Hypponen, F-Secure's chief research
    > officer. "We've tested and audited it and can recommend it. We're
    > running
    > it on all of our own Windows machines."
    >


    Whoops! You left something out:

    "Jonah Paransky, a senior manager with Symantec's security response
    team, gave even clearer advice. "There's a significant risk to putting
    a third-party patch on enterprise systems," he said. "In our view,
    it's a move of last resort."
    Impossible, Jan 5, 2006
    #8
  9. Brett Roberts

    Shane Guest

    On Thu, 05 Jan 2006 16:36:38 -0500, Impossible wrote:

    > "Shane" <-a-geek.net> wrote in message
    > news:p-a-geek.net...
    >> On Fri, 06 Jan 2006 10:05:35 +1300, Shane wrote:
    >>
    >>> On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
    >>>
    >>>> "Shane" <-a-geek.net> wrote in message
    >>>> news:p-a-geek.net...
    >>>>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
    >>>>>
    >>>>>> "Brett Roberts" <> wrote in message
    >>>>>> news:43bd84b6$...
    >>>>>>> Microsoft will be releasing the update (MS06-001) for the WMF
    >>>>>>> vulnerability today at 2pm PST (11am NZ time). PC's configured for
    >>>>>>> automatic updating will receive the update without additional user
    >>>>>>> intervention or customers can visit http://update.microsoft.com to
    >>>>>>> initiate a manual update process.
    >>>>>>>
    >>>>>>> There is additional information on the vulnerability at
    >>>>>>> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >>>>>>>
    >>>>>>> Brett Roberts
    >>>>>>> Microsoft NZ
    >>>>>>>
    >>>>>>> And now for a message from our legal people: ** this post is
    >>>>>>> provided
    >>>>>>> "AS IS" with no warranties, and confers no rights **
    >>>>>>>
    >>>>>>>
    >>>>>> FYI, I've just checked the Windows Update site and the patch is
    >>>>>> available *now*
    >>>>>>
    >>>>>> Brett
    >>>>>
    >>>>> gosh.. only a week too late
    >>>>>
    >>>>> --
    >>>>> BOFH excuse #231:
    >>>>>
    >>>>> We had to turn off that service to comply with the CDA Bill.
    >>>>>
    >>>>>
    >>>> It takes a finite amount of time to build and test a patch. This
    >>>> particular one covers 23 language variants and was tested against
    >>>> approximately 1000 PC configurations.
    >>>
    >>> Yeah.. I saw another company managed it in less time (Without any
    >>> source
    >>> code from Microsoft as well)

    >
    >
    >> Released here
    >> http://www.hexblog.com/
    >>
    >> http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=175801253
    >> On one side stand a pair of well-known security organizations -- SANS
    >> Institute's
    >> Internet Storm Center (ISC), and Helsinki-based security company
    >> F-Secure
    >> -- that have been among the most active in researching the WMF
    >> vulnerability and tracking its exploits.
    >>
    >> The Guilfanov hotfix has been blessed by both.
    >>
    >> "Install the patch," said Mikko Hypponen, F-Secure's chief research
    >> officer. "We've tested and audited it and can recommend it. We're
    >> running
    >> it on all of our own Windows machines."
    >>
    >>

    > Whoops! You left something out:
    >
    > "Jonah Paransky, a senior manager with Symantec's security response team,
    > gave even clearer advice. "There's a significant risk to putting a
    > third-party patch on enterprise systems," he said. "In our view, it's a
    > move of last resort."


    Theres two schools of thought
    One, patch yourself with the third party [stable] patch
    or .. wait for the vendor to release their patch (at the time of that
    article Microsoft were saying that was at least ten days away)
    With the level of risk that the wmf vulnerability presented, companys had
    a choice... patch.. or dont do business on the web... whos paying
    compensation do you think for the losses?

    --
    We are experiencing system trouble -- do not adjust your terminal.
    Shane, Jan 5, 2006
    #9
  10. < snip >

    >>>>
    >>> It takes a finite amount of time to build and test a patch. This
    >>> particular one covers 23 language variants and was tested against
    >>> approximately 1000 PC configurations.

    >>
    >> Yeah.. I saw another company managed it in less time (Without any source
    >> code from Microsoft as well)

    >
    > Released here
    > http://www.hexblog.com/
    >
    > http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=175801253
    > On one side stand a pair of well-known security organizations -- SANS
    > Institute's
    > Internet Storm Center (ISC), and Helsinki-based security company F-Secure
    > -- that have been among the most active in researching the WMF
    > vulnerability and tracking its exploits.
    >
    > The Guilfanov hotfix has been blessed by both.
    >
    > "Install the patch," said Mikko Hypponen, F-Secure's chief research
    > officer. "We've tested and audited it and can recommend it. We're running
    > it on all of our own Windows machines."
    >
    > --
    > Machine Always Crashes, If Not, The Operating System Hangs (MACINTOSH)
    > -- Topic on #Linux
    >


    And judging by some of the comments posted at
    http://castlecops.com/f212-hexblog.html one could possibly speculate that
    the 3rd party patch wasn't tested for 23 language variants and approximately
    1000 PC configurations.
    Brett Roberts, Jan 5, 2006
    #10
  11. On Fri, 06 Jan 2006 10:17:17 +1300, Shane wrote:

    >> Yeah.. I saw another company managed it in less time (Without any
    >> source code from Microsoft as well)

    >
    > Released here
    > http://www.hexblog.com/
    >
    > http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=175801253
    > On one side stand a pair of well-known security organizations -- SANS
    > Institute's Internet Storm Center (ISC), and Helsinki-based security
    > company F-Secure -- that have been among the most active in researching
    > the WMF vulnerability and tracking its exploits.
    >
    > The Guilfanov hotfix has been blessed by both.
    >
    > "Install the patch," said Mikko Hypponen, F-Secure's chief research
    > officer. "We've tested and audited it and can recommend it. We're
    > running it on all of our own Windows machines."


    What they were really saying was that they didn't trust Micro$oft to
    actually produce a patch that was effective, and sorted out only that one
    problem, quickly enough.

    And they were right!


    Undeniably Sluttish

    --
    "Simply opening the wrong Web page or receiving an e-mail with an errant
    image file could be enough to cripple your computer, thanks to a newly
    discovered vulnerability in the Microsoft Windows operating systems."
    Mr Undeniably Sluttish, Jan 5, 2006
    #11
  12. "Mr Undeniably Sluttish" <> wrote in message
    news:p...
    > On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
    >
    >>>> FYI, I've just checked the Windows Update site and the patch is
    >>>> available
    >>>> *now*
    >>>
    >>> gosh.. only a week too late

    >>
    >> It takes a finite amount of time to build and test a patch. This
    >> particular
    >> one covers 23 language variants and was tested against approximately 1000
    >> PC
    >> configurations.

    >
    > Why does it take Micro$oft so long to fix such a serious flaw? And yet at
    > least one other organisation that cannot have the use of the original
    > source code was able to produce, test, and release an effective
    > unofficial patch against this flaw nearly a week before Micro$oft could?
    >
    > Looks like either Micro$oft truly does not care about these matters, or
    > Micro$oft has become a lumbering clumsy sloth, incapable of doing anything
    > efficiently and expeditiously.
    >
    > Or maybe... both!
    >
    >
    > If you want a secure system: use Linux.
    >
    > If you want a modern, fully up-to-date, rapidly developed and updated
    > system: use Linux.
    >
    > If you want exclusive control over what your computer does: use Linux.
    >
    > If you want to be forever bound to the one vendor, and be forever locked
    > into a merrygoround of paying for software "upgrades" merely to be able to
    > read files written by other people using different iterations of the same
    > software: Use Micro$oft!
    >
    > If you want to be forever needing to use anti-virus software: use
    > Micro$oft.
    >
    >
    > Undeniably Sluttish
    >
    > --
    > "Simply opening the wrong Web page or receiving an e-mail with an errant
    > image file could be enough to cripple your computer, thanks to a newly
    > discovered vulnerability in the Microsoft Windows operating systems."
    >


    See previous posts re issues with the 3rd party patch and comments from
    Symantec about avoiding such things.
    Brett Roberts, Jan 5, 2006
    #12
  13. Brett Roberts

    Shane Guest

    On Fri, 06 Jan 2006 10:46:13 +1300, Brett Roberts wrote:

    > < snip >
    >
    >
    >>>> It takes a finite amount of time to build and test a patch. This
    >>>> particular one covers 23 language variants and was tested against
    >>>> approximately 1000 PC configurations.
    >>>
    >>> Yeah.. I saw another company managed it in less time (Without any
    >>> source code from Microsoft as well)

    >>
    >> Released here
    >> http://www.hexblog.com/
    >>
    >> http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=175801253
    >> On one side stand a pair of well-known security organizations -- SANS
    >> Institute's
    >> Internet Storm Center (ISC), and Helsinki-based security company
    >> F-Secure -- that have been among the most active in researching the WMF
    >> vulnerability and tracking its exploits.
    >>
    >> The Guilfanov hotfix has been blessed by both.
    >>
    >> "Install the patch," said Mikko Hypponen, F-Secure's chief research
    >> officer. "We've tested and audited it and can recommend it. We're
    >> running it on all of our own Windows machines."
    >>
    >> --
    >> Machine Always Crashes, If Not, The Operating System Hangs (MACINTOSH)
    >> -- Topic on #Linux
    >>
    >>

    > And judging by some of the comments posted at
    > http://castlecops.com/f212-hexblog.html one could possibly speculate that
    > the 3rd party patch wasn't tested for 23 language variants and
    > approximately 1000 PC configurations.



    Speculate away
    meanwhile I'll speculate this third party patch, and the fact the
    vulnerability showed how pathetic the support is from Microsoft that
    companies should take a real look at what products they use




    --
    BOFH excuse #435:

    Internet shut down due to maintenance
    Shane, Jan 5, 2006
    #13
  14. Brett Roberts

    Impossible Guest

    "Shane" <-a-geek.net> wrote in message
    news:p-a-geek.net...
    > On Thu, 05 Jan 2006 16:36:38 -0500, Impossible wrote:
    >
    >> "Shane" <-a-geek.net> wrote in message
    >> news:p-a-geek.net...
    >>> On Fri, 06 Jan 2006 10:05:35 +1300, Shane wrote:
    >>>
    >>>> On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
    >>>>
    >>>>> "Shane" <-a-geek.net> wrote in message
    >>>>> news:p-a-geek.net...
    >>>>>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
    >>>>>>
    >>>>>>> "Brett Roberts" <> wrote in
    >>>>>>> message
    >>>>>>> news:43bd84b6$...
    >>>>>>>> Microsoft will be releasing the update (MS06-001) for the WMF
    >>>>>>>> vulnerability today at 2pm PST (11am NZ time). PC's
    >>>>>>>> configured for
    >>>>>>>> automatic updating will receive the update without additional
    >>>>>>>> user
    >>>>>>>> intervention or customers can visit
    >>>>>>>> http://update.microsoft.com to
    >>>>>>>> initiate a manual update process.
    >>>>>>>>
    >>>>>>>> There is additional information on the vulnerability at
    >>>>>>>> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >>>>>>>>
    >>>>>>>> Brett Roberts
    >>>>>>>> Microsoft NZ
    >>>>>>>>
    >>>>>>>> And now for a message from our legal people: ** this post is
    >>>>>>>> provided
    >>>>>>>> "AS IS" with no warranties, and confers no rights **
    >>>>>>>>
    >>>>>>>>
    >>>>>>> FYI, I've just checked the Windows Update site and the patch
    >>>>>>> is
    >>>>>>> available *now*
    >>>>>>>
    >>>>>>> Brett
    >>>>>>
    >>>>>> gosh.. only a week too late
    >>>>>>
    >>>>>> --
    >>>>>> BOFH excuse #231:
    >>>>>>
    >>>>>> We had to turn off that service to comply with the CDA Bill.
    >>>>>>
    >>>>>>
    >>>>> It takes a finite amount of time to build and test a patch. This
    >>>>> particular one covers 23 language variants and was tested
    >>>>> against
    >>>>> approximately 1000 PC configurations.
    >>>>
    >>>> Yeah.. I saw another company managed it in less time (Without any
    >>>> source
    >>>> code from Microsoft as well)

    >>
    >>
    >>> Released here
    >>> http://www.hexblog.com/
    >>>
    >>> http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=175801253
    >>> On one side stand a pair of well-known security organizations --
    >>> SANS
    >>> Institute's
    >>> Internet Storm Center (ISC), and Helsinki-based security company
    >>> F-Secure
    >>> -- that have been among the most active in researching the WMF
    >>> vulnerability and tracking its exploits.
    >>>
    >>> The Guilfanov hotfix has been blessed by both.
    >>>
    >>> "Install the patch," said Mikko Hypponen, F-Secure's chief
    >>> research
    >>> officer. "We've tested and audited it and can recommend it. We're
    >>> running
    >>> it on all of our own Windows machines."
    >>>
    >>>

    >> Whoops! You left something out:
    >>
    >> "Jonah Paransky, a senior manager with Symantec's security response
    >> team,
    >> gave even clearer advice. "There's a significant risk to putting a
    >> third-party patch on enterprise systems," he said. "In our view,
    >> it's a
    >> move of last resort."

    >
    > Theres two schools of thought
    > One, patch yourself with the third party [stable] patch
    > or .. wait for the vendor to release their patch (at the time of
    > that
    > article Microsoft were saying that was at least ten days away)
    > With the level of risk that the wmf vulnerability presented,
    > companys had
    > a choice... patch.. or dont do business on the web... whos paying
    > compensation do you think for the losses?
    >


    Point is, those security companies that cobble together a "fix" are
    just doing a bit of advertising. Their patch only needed to be
    "stable" for a day or two for the most common configurations -- no one
    was going to slam them for cutting corners and crashing machines here
    and there, so they had nothing to lose by trying to get their name
    out. Microsoft, I would hope, was more thorough.
    Impossible, Jan 5, 2006
    #14
  15. Brett Roberts

    Shane Guest

    On Thu, 05 Jan 2006 16:59:43 -0500, Impossible wrote:

    > "Shane" <-a-geek.net> wrote in message
    > news:p-a-geek.net...
    >> On Thu, 05 Jan 2006 16:36:38 -0500, Impossible wrote:
    >>
    >>> "Shane" <-a-geek.net> wrote in message
    >>> news:p-a-geek.net...
    >>>> On Fri, 06 Jan 2006 10:05:35 +1300, Shane wrote:
    >>>>
    >>>>> On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
    >>>>>
    >>>>>> "Shane" <-a-geek.net> wrote in message
    >>>>>> news:p-a-geek.net...
    >>>>>>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
    >>>>>>>
    >>>>>>>> "Brett Roberts" <> wrote in message
    >>>>>>>> news:43bd84b6$...
    >>>>>>>>> Microsoft will be releasing the update (MS06-001) for the WMF
    >>>>>>>>> vulnerability today at 2pm PST (11am NZ time). PC's configured
    >>>>>>>>> for
    >>>>>>>>> automatic updating will receive the update without additional
    >>>>>>>>> user
    >>>>>>>>> intervention or customers can visit
    >>>>>>>>> http://update.microsoft.com to
    >>>>>>>>> initiate a manual update process.
    >>>>>>>>>
    >>>>>>>>> There is additional information on the vulnerability at
    >>>>>>>>> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >>>>>>>>>
    >>>>>>>>> Brett Roberts
    >>>>>>>>> Microsoft NZ
    >>>>>>>>>
    >>>>>>>>> And now for a message from our legal people: ** this post is
    >>>>>>>>> provided
    >>>>>>>>> "AS IS" with no warranties, and confers no rights **
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>> FYI, I've just checked the Windows Update site and the patch is
    >>>>>>>> available *now*
    >>>>>>>>
    >>>>>>>> Brett
    >>>>>>>
    >>>>>>> gosh.. only a week too late
    >>>>>>>
    >>>>>>> --
    >>>>>>> BOFH excuse #231:
    >>>>>>>
    >>>>>>> We had to turn off that service to comply with the CDA Bill.
    >>>>>>>
    >>>>>>>
    >>>>>> It takes a finite amount of time to build and test a patch. This
    >>>>>> particular one covers 23 language variants and was tested against
    >>>>>> approximately 1000 PC configurations.
    >>>>>
    >>>>> Yeah.. I saw another company managed it in less time (Without any
    >>>>> source
    >>>>> code from Microsoft as well)
    >>>
    >>>
    >>>> Released here
    >>>> http://www.hexblog.com/
    >>>>
    >>>> http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=175801253
    >>>> On one side stand a pair of well-known security organizations -- SANS
    >>>> Institute's
    >>>> Internet Storm Center (ISC), and Helsinki-based security company
    >>>> F-Secure
    >>>> -- that have been among the most active in researching the WMF
    >>>> vulnerability and tracking its exploits.
    >>>>
    >>>> The Guilfanov hotfix has been blessed by both.
    >>>>
    >>>> "Install the patch," said Mikko Hypponen, F-Secure's chief research
    >>>> officer. "We've tested and audited it and can recommend it. We're
    >>>> running
    >>>> it on all of our own Windows machines."
    >>>>
    >>>>
    >>> Whoops! You left something out:
    >>>
    >>> "Jonah Paransky, a senior manager with Symantec's security response
    >>> team,
    >>> gave even clearer advice. "There's a significant risk to putting a
    >>> third-party patch on enterprise systems," he said. "In our view, it's a
    >>> move of last resort."

    >>
    >> Theres two schools of thought
    >> One, patch yourself with the third party [stable] patch or .. wait for
    >> the vendor to release their patch (at the time of that
    >> article Microsoft were saying that was at least ten days away) With the
    >> level of risk that the wmf vulnerability presented, companys had
    >> a choice... patch.. or dont do business on the web... whos paying
    >> compensation do you think for the losses?
    >>
    >>

    > Point is, those security companies that cobble together a "fix" are just
    > doing a bit of advertising. Their patch only needed to be "stable" for a
    > day or two for the most common configurations -- no one was going to slam
    > them for cutting corners and crashing machines here and there, so they had
    > nothing to lose by trying to get their name out. Microsoft, I would hope,
    > was more thorough.


    Umm no..
    Cobbled together wouldnt be 'stable'
    Nice try though
    Are you saying that Microsofts patches that have proven not to be stable,
    and have caused issues for end users are 'cobbled together'
    (Take a close look at the furore sp2 caused)

    --
    <Skyhook> Where is 'bavaria' proper? I thought it was austria.
    -- Seen on #Linux
    Shane, Jan 5, 2006
    #15
  16. On Thu, 05 Jan 2006 16:59:43 -0500, Impossible wrote:

    > Point is, those security companies that cobble together a "fix" are
    > just doing a bit of advertising. Their patch only needed to be
    > "stable" for a day or two for the most common configurations -- no one
    > was going to slam them for cutting corners and crashing machines here
    > and there, so they had nothing to lose by trying to get their name
    > out. Microsoft, I would hope, was more thorough.


    I see you atribute the same foul motives of those companies as what
    Micro$oft has.

    Shame on you!


    Undeniably Sluttish

    --
    "Simply opening the wrong Web page or receiving an e-mail with an errant
    image file could be enough to cripple your computer, thanks to a newly
    discovered vulnerability in the Microsoft Windows operating systems."
    Mr Undeniably Sluttish, Jan 5, 2006
    #16
  17. Brett Roberts

    Impossible Guest

    "Shane" <-a-geek.net> wrote in message
    news:p-a-geek.net...
    > On Thu, 05 Jan 2006 16:59:43 -0500, Impossible wrote:
    >
    >> "Shane" <-a-geek.net> wrote in message
    >> news:p-a-geek.net...
    >>> On Thu, 05 Jan 2006 16:36:38 -0500, Impossible wrote:
    >>>
    >>>> "Shane" <-a-geek.net> wrote in message
    >>>> news:p-a-geek.net...
    >>>>> On Fri, 06 Jan 2006 10:05:35 +1300, Shane wrote:
    >>>>>
    >>>>>> On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
    >>>>>>
    >>>>>>> "Shane" <-a-geek.net> wrote in message
    >>>>>>> news:p-a-geek.net...
    >>>>>>>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
    >>>>>>>>
    >>>>>>>>> "Brett Roberts" <> wrote in
    >>>>>>>>> message
    >>>>>>>>> news:43bd84b6$...
    >>>>>>>>>> Microsoft will be releasing the update (MS06-001) for the
    >>>>>>>>>> WMF
    >>>>>>>>>> vulnerability today at 2pm PST (11am NZ time). PC's
    >>>>>>>>>> configured
    >>>>>>>>>> for
    >>>>>>>>>> automatic updating will receive the update without
    >>>>>>>>>> additional
    >>>>>>>>>> user
    >>>>>>>>>> intervention or customers can visit
    >>>>>>>>>> http://update.microsoft.com to
    >>>>>>>>>> initiate a manual update process.
    >>>>>>>>>>
    >>>>>>>>>> There is additional information on the vulnerability at
    >>>>>>>>>> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >>>>>>>>>>
    >>>>>>>>>> Brett Roberts
    >>>>>>>>>> Microsoft NZ
    >>>>>>>>>>
    >>>>>>>>>> And now for a message from our legal people: ** this post
    >>>>>>>>>> is
    >>>>>>>>>> provided
    >>>>>>>>>> "AS IS" with no warranties, and confers no rights **
    >>>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>> FYI, I've just checked the Windows Update site and the patch
    >>>>>>>>> is
    >>>>>>>>> available *now*
    >>>>>>>>>
    >>>>>>>>> Brett
    >>>>>>>>
    >>>>>>>> gosh.. only a week too late
    >>>>>>>>
    >>>>>>>> --
    >>>>>>>> BOFH excuse #231:
    >>>>>>>>
    >>>>>>>> We had to turn off that service to comply with the CDA Bill.
    >>>>>>>>
    >>>>>>>>
    >>>>>>> It takes a finite amount of time to build and test a patch.
    >>>>>>> This
    >>>>>>> particular one covers 23 language variants and was tested
    >>>>>>> against
    >>>>>>> approximately 1000 PC configurations.
    >>>>>>
    >>>>>> Yeah.. I saw another company managed it in less time (Without
    >>>>>> any
    >>>>>> source
    >>>>>> code from Microsoft as well)
    >>>>
    >>>>
    >>>>> Released here
    >>>>> http://www.hexblog.com/
    >>>>>
    >>>>> http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=175801253
    >>>>> On one side stand a pair of well-known security organizations --
    >>>>> SANS
    >>>>> Institute's
    >>>>> Internet Storm Center (ISC), and Helsinki-based security company
    >>>>> F-Secure
    >>>>> -- that have been among the most active in researching the WMF
    >>>>> vulnerability and tracking its exploits.
    >>>>>
    >>>>> The Guilfanov hotfix has been blessed by both.
    >>>>>
    >>>>> "Install the patch," said Mikko Hypponen, F-Secure's chief
    >>>>> research
    >>>>> officer. "We've tested and audited it and can recommend it.
    >>>>> We're
    >>>>> running
    >>>>> it on all of our own Windows machines."
    >>>>>
    >>>>>
    >>>> Whoops! You left something out:
    >>>>
    >>>> "Jonah Paransky, a senior manager with Symantec's security
    >>>> response
    >>>> team,
    >>>> gave even clearer advice. "There's a significant risk to putting
    >>>> a
    >>>> third-party patch on enterprise systems," he said. "In our view,
    >>>> it's a
    >>>> move of last resort."
    >>>
    >>> Theres two schools of thought
    >>> One, patch yourself with the third party [stable] patch or .. wait
    >>> for
    >>> the vendor to release their patch (at the time of that
    >>> article Microsoft were saying that was at least ten days away)
    >>> With the
    >>> level of risk that the wmf vulnerability presented, companys had
    >>> a choice... patch.. or dont do business on the web... whos paying
    >>> compensation do you think for the losses?
    >>>
    >>>

    >> Point is, those security companies that cobble together a "fix" are
    >> just
    >> doing a bit of advertising. Their patch only needed to be "stable"
    >> for a
    >> day or two for the most common configurations -- no one was going
    >> to slam
    >> them for cutting corners and crashing machines here and there, so
    >> they had
    >> nothing to lose by trying to get their name out. Microsoft, I would
    >> hope,
    >> was more thorough.

    >
    > Umm no..
    > Cobbled together wouldnt be 'stable'
    > Nice try though


    "Stable" is a relative term -- depends how many different machine
    configurations have been tested and under what operating conditions.
    And of course we'll never know, since everyone will be using the MS
    patch now. Nice try though

    > Are you saying that Microsofts patches that have proven not to be
    > stable,
    > and have caused issues for end users are 'cobbled together'
    > (Take a close look at the furore sp2 caused)


    You're trying to change the subject -- nice try again, but I'm not
    going there. Suffice it to say that if ANY piece of software hasn't
    been throughly tested, then yes, I'd say it had been cobbled together.
    Impossible, Jan 5, 2006
    #17
  18. "Shane" <-a-geek.net> wrote in message
    news:p-a-geek.net...
    > On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
    >
    >> "Shane" <-a-geek.net> wrote in message
    >> news:p-a-geek.net...
    >>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
    >>>
    >>>> "Brett Roberts" <> wrote in message
    >>>> news:43bd84b6$...
    >>>>> Microsoft will be releasing the update (MS06-001) for the WMF
    >>>>> vulnerability today at 2pm PST (11am NZ time). PC's configured for
    >>>>> automatic updating will receive the update without additional user
    >>>>> intervention or customers can visit http://update.microsoft.com to
    >>>>> initiate a manual update process.
    >>>>>
    >>>>> There is additional information on the vulnerability at
    >>>>> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >>>>>
    >>>>> Brett Roberts
    >>>>> Microsoft NZ
    >>>>>
    >>>>> And now for a message from our legal people: ** this post is provided
    >>>>> "AS IS" with no warranties, and confers no rights **
    >>>>>
    >>>>>
    >>>> FYI, I've just checked the Windows Update site and the patch is
    >>>> available *now*
    >>>>
    >>>> Brett
    >>>
    >>> gosh.. only a week too late
    >>>
    >>> --
    >>> BOFH excuse #231:
    >>>
    >>> We had to turn off that service to comply with the CDA Bill.
    >>>
    >>>

    >> It takes a finite amount of time to build and test a patch. This
    >> particular one covers 23 language variants and was tested against
    >> approximately 1000 PC configurations.

    >
    > Yeah.. I saw another company managed it in less time
    > (Without any source code from Microsoft as well)
    >
    > --
    > A pain in the ass of major dimensions.
    > -- C.A. Desoer, on the solution of non-linear circuits
    >


    Thats the nature of software development at large company vs a small one.
    Large companies have quality standards which evolve over a long time to
    ensure their software actually works.

    As opposed to a small company with a few English customers who can whip out
    an emergency fix very quickly .
    news.xtra.co.nz, Jan 5, 2006
    #18
  19. Brett Roberts

    Shane Guest

    On Thu, 05 Jan 2006 17:27:28 -0500, Impossible wrote:

    > "Shane" <-a-geek.net> wrote in message
    > news:p-a-geek.net...
    >> On Thu, 05 Jan 2006 16:59:43 -0500, Impossible wrote:
    >>
    >>> "Shane" <-a-geek.net> wrote in message
    >>> news:p-a-geek.net...
    >>>> On Thu, 05 Jan 2006 16:36:38 -0500, Impossible wrote:
    >>>>
    >>>>> "Shane" <-a-geek.net> wrote in message
    >>>>> news:p-a-geek.net...
    >>>>>> On Fri, 06 Jan 2006 10:05:35 +1300, Shane wrote:
    >>>>>>
    >>>>>>> On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
    >>>>>>>
    >>>>>>>> "Shane" <-a-geek.net> wrote in message
    >>>>>>>> news:p-a-geek.net...
    >>>>>>>>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
    >>>>>>>>>
    >>>>>>>>>> "Brett Roberts" <> wrote in
    >>>>>>>>>> message
    >>>>>>>>>> news:43bd84b6$...
    >>>>>>>>>>> Microsoft will be releasing the update (MS06-001) for the WMF
    >>>>>>>>>>> vulnerability today at 2pm PST (11am NZ time). PC's configured
    >>>>>>>>>>> for
    >>>>>>>>>>> automatic updating will receive the update without additional
    >>>>>>>>>>> user
    >>>>>>>>>>> intervention or customers can visit
    >>>>>>>>>>> http://update.microsoft.com to
    >>>>>>>>>>> initiate a manual update process.
    >>>>>>>>>>>
    >>>>>>>>>>> There is additional information on the vulnerability at
    >>>>>>>>>>> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >>>>>>>>>>>
    >>>>>>>>>>> Brett Roberts
    >>>>>>>>>>> Microsoft NZ
    >>>>>>>>>>>
    >>>>>>>>>>> And now for a message from our legal people: ** this post is
    >>>>>>>>>>> provided
    >>>>>>>>>>> "AS IS" with no warranties, and confers no rights **
    >>>>>>>>>>>
    >>>>>>>>>>>
    >>>>>>>>>> FYI, I've just checked the Windows Update site and the patch is
    >>>>>>>>>> available *now*
    >>>>>>>>>>
    >>>>>>>>>> Brett
    >>>>>>>>>
    >>>>>>>>> gosh.. only a week too late
    >>>>>>>>>
    >>>>>>>>> --
    >>>>>>>>> BOFH excuse #231:
    >>>>>>>>>
    >>>>>>>>> We had to turn off that service to comply with the CDA Bill.
    >>>>>>>>>
    >>>>>>>>>
    >>>>>>>> It takes a finite amount of time to build and test a patch. This
    >>>>>>>> particular one covers 23 language variants and was tested against
    >>>>>>>> approximately 1000 PC configurations.
    >>>>>>>
    >>>>>>> Yeah.. I saw another company managed it in less time (Without any
    >>>>>>> source
    >>>>>>> code from Microsoft as well)
    >>>>>
    >>>>>
    >>>>>> Released here
    >>>>>> http://www.hexblog.com/
    >>>>>>
    >>>>>> http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=175801253
    >>>>>> On one side stand a pair of well-known security organizations --
    >>>>>> SANS
    >>>>>> Institute's
    >>>>>> Internet Storm Center (ISC), and Helsinki-based security company
    >>>>>> F-Secure
    >>>>>> -- that have been among the most active in researching the WMF
    >>>>>> vulnerability and tracking its exploits.
    >>>>>>
    >>>>>> The Guilfanov hotfix has been blessed by both.
    >>>>>>
    >>>>>> "Install the patch," said Mikko Hypponen, F-Secure's chief research
    >>>>>> officer. "We've tested and audited it and can recommend it. We're
    >>>>>> running
    >>>>>> it on all of our own Windows machines."
    >>>>>>
    >>>>>>
    >>>>> Whoops! You left something out:
    >>>>>
    >>>>> "Jonah Paransky, a senior manager with Symantec's security response
    >>>>> team,
    >>>>> gave even clearer advice. "There's a significant risk to putting a
    >>>>> third-party patch on enterprise systems," he said. "In our view, it's
    >>>>> a
    >>>>> move of last resort."
    >>>>
    >>>> Theres two schools of thought
    >>>> One, patch yourself with the third party [stable] patch or .. wait for
    >>>> the vendor to release their patch (at the time of that article
    >>>> Microsoft were saying that was at least ten days away) With the
    >>>> level of risk that the wmf vulnerability presented, companys had a
    >>>> choice... patch.. or dont do business on the web... whos paying
    >>>> compensation do you think for the losses?
    >>>>
    >>>>
    >>> Point is, those security companies that cobble together a "fix" are
    >>> just
    >>> doing a bit of advertising. Their patch only needed to be "stable" for
    >>> a
    >>> day or two for the most common configurations -- no one was going to
    >>> slam
    >>> them for cutting corners and crashing machines here and there, so they
    >>> had
    >>> nothing to lose by trying to get their name out. Microsoft, I would
    >>> hope,
    >>> was more thorough.

    >>
    >> Umm no..
    >> Cobbled together wouldnt be 'stable'
    >> Nice try though

    >
    > "Stable" is a relative term -- depends how many different machine
    > configurations have been tested and under what operating conditions. And
    > of course we'll never know, since everyone will be using the MS patch now.
    > Nice try though
    >


    Stable is what major Anti Virus companies termed it
    Cutting corners in the original code is what caused the problem in the
    first place
    (the wmf vulnerability Im led to believe was caused by a bad call,
    "Guilfanov's patch, which is hosted on several sites, blocks WMF exploits
    by setting gdi32.dll's Escape() function so that it ignores any call using
    the SETABORTPROC parameter.")

    >> Are you saying that Microsofts patches that have proven not to be
    >> stable,
    >> and have caused issues for end users are 'cobbled together' (Take a
    >> close look at the furore sp2 caused)

    >
    > You're trying to change the subject -- nice try again, but I'm not going
    > there. Suffice it to say that if ANY piece of software hasn't been
    > throughly tested, then yes, I'd say it had been cobbled together.



    not really... like with like.. patches are all about fixing errors in the
    code

    This is an earlier patch from Microsoft that caused issues

    http://www.cfzone.net/showDetail.asp?TypeId=1&NewsId=11182
    The problems occur after installing the patches Microsoft delivered with security
    bulletins MS05-038 and MS05-052. Both patches can cause problems with
    ActiveX controls, small programs designed to perform a simple task that
    can make a Web site more interactive. The MS05-038 patch can also hinder
    Java applications. After the patches are installed, some applications will
    no longer work in Internet Explorer!

    The MS05-052 patch causes the problem because it makes several changes to Windows
    meant to increase the security of the IE Web browser. After installing the
    patch, IE will check for a special security setting called on ActiveX
    controls. If the control does not have the setting, IE will block it.

    To resolve this issue, Microsoft advises developers to recompile an affected ActiveX
    control and mark it as safe when running it in an Internet browser.

    Testing missed that one?

    Theres a few more...
    Which makes me ask .. again.. where do you draw the line, Microsofts OWN
    patches have caused more issues than they have fixed in the past (In fact
    I recall patches that recreated vulnerabilitys previously patched)



    --
    lp1 on fire
    (One of the more obfuscated kernel messages)
    Shane, Jan 5, 2006
    #19
  20. "Shane" <-a-geek.net> wrote in message
    news:p-a-geek.net...
    > On Thu, 05 Jan 2006 17:27:28 -0500, Impossible wrote:
    >
    >> "Shane" <-a-geek.net> wrote in message
    >> news:p-a-geek.net...
    >>> On Thu, 05 Jan 2006 16:59:43 -0500, Impossible wrote:
    >>>
    >>>> "Shane" <-a-geek.net> wrote in message
    >>>> news:p-a-geek.net...
    >>>>> On Thu, 05 Jan 2006 16:36:38 -0500, Impossible wrote:
    >>>>>
    >>>>>> "Shane" <-a-geek.net> wrote in message
    >>>>>> news:p-a-geek.net...
    >>>>>>> On Fri, 06 Jan 2006 10:05:35 +1300, Shane wrote:
    >>>>>>>
    >>>>>>>> On Fri, 06 Jan 2006 09:55:04 +1300, Brett Roberts wrote:
    >>>>>>>>
    >>>>>>>>> "Shane" <-a-geek.net> wrote in message
    >>>>>>>>> news:p-a-geek.net...
    >>>>>>>>>> On Fri, 06 Jan 2006 09:44:11 +1300, Brett Roberts wrote:
    >>>>>>>>>>
    >>>>>>>>>>> "Brett Roberts" <> wrote in
    >>>>>>>>>>> message
    >>>>>>>>>>> news:43bd84b6$...
    >>>>>>>>>>>> Microsoft will be releasing the update (MS06-001) for the WMF
    >>>>>>>>>>>> vulnerability today at 2pm PST (11am NZ time). PC's configured
    >>>>>>>>>>>> for
    >>>>>>>>>>>> automatic updating will receive the update without additional
    >>>>>>>>>>>> user
    >>>>>>>>>>>> intervention or customers can visit
    >>>>>>>>>>>> http://update.microsoft.com to
    >>>>>>>>>>>> initiate a manual update process.
    >>>>>>>>>>>>
    >>>>>>>>>>>> There is additional information on the vulnerability at
    >>>>>>>>>>>> http://www.microsoft.com/technet/security/advisory/912840.mspx
    >>>>>>>>>>>>
    >>>>>>>>>>>> Brett Roberts
    >>>>>>>>>>>> Microsoft NZ
    >>>>>>>>>>>>
    >>>>>>>>>>>> And now for a message from our legal people: ** this post is
    >>>>>>>>>>>> provided
    >>>>>>>>>>>> "AS IS" with no warranties, and confers no rights **
    >>>>>>>>>>>>
    >>>>>>>>>>>>
    >>>>>>>>>>> FYI, I've just checked the Windows Update site and the patch is
    >>>>>>>>>>> available *now*
    >>>>>>>>>>>
    >>>>>>>>>>> Brett
    >>>>>>>>>>
    >>>>>>>>>> gosh.. only a week too late
    >>>>>>>>>>
    >>>>>>>>>> --
    >>>>>>>>>> BOFH excuse #231:
    >>>>>>>>>>
    >>>>>>>>>> We had to turn off that service to comply with the CDA Bill.
    >>>>>>>>>>
    >>>>>>>>>>
    >>>>>>>>> It takes a finite amount of time to build and test a patch. This
    >>>>>>>>> particular one covers 23 language variants and was tested against
    >>>>>>>>> approximately 1000 PC configurations.
    >>>>>>>>
    >>>>>>>> Yeah.. I saw another company managed it in less time (Without any
    >>>>>>>> source
    >>>>>>>> code from Microsoft as well)
    >>>>>>
    >>>>>>
    >>>>>>> Released here
    >>>>>>> http://www.hexblog.com/
    >>>>>>>
    >>>>>>> http://www.crn.com/sections/breakingnews/dailyarchives.jhtml?articleId=175801253
    >>>>>>> On one side stand a pair of well-known security organizations --
    >>>>>>> SANS
    >>>>>>> Institute's
    >>>>>>> Internet Storm Center (ISC), and Helsinki-based security company
    >>>>>>> F-Secure
    >>>>>>> -- that have been among the most active in researching the WMF
    >>>>>>> vulnerability and tracking its exploits.
    >>>>>>>
    >>>>>>> The Guilfanov hotfix has been blessed by both.
    >>>>>>>
    >>>>>>> "Install the patch," said Mikko Hypponen, F-Secure's chief research
    >>>>>>> officer. "We've tested and audited it and can recommend it. We're
    >>>>>>> running
    >>>>>>> it on all of our own Windows machines."
    >>>>>>>
    >>>>>>>
    >>>>>> Whoops! You left something out:
    >>>>>>
    >>>>>> "Jonah Paransky, a senior manager with Symantec's security response
    >>>>>> team,
    >>>>>> gave even clearer advice. "There's a significant risk to putting a
    >>>>>> third-party patch on enterprise systems," he said. "In our view, it's
    >>>>>> a
    >>>>>> move of last resort."
    >>>>>
    >>>>> Theres two schools of thought
    >>>>> One, patch yourself with the third party [stable] patch or .. wait for
    >>>>> the vendor to release their patch (at the time of that article
    >>>>> Microsoft were saying that was at least ten days away) With the
    >>>>> level of risk that the wmf vulnerability presented, companys had a
    >>>>> choice... patch.. or dont do business on the web... whos paying
    >>>>> compensation do you think for the losses?
    >>>>>
    >>>>>
    >>>> Point is, those security companies that cobble together a "fix" are
    >>>> just
    >>>> doing a bit of advertising. Their patch only needed to be "stable" for
    >>>> a
    >>>> day or two for the most common configurations -- no one was going to
    >>>> slam
    >>>> them for cutting corners and crashing machines here and there, so they
    >>>> had
    >>>> nothing to lose by trying to get their name out. Microsoft, I would
    >>>> hope,
    >>>> was more thorough.
    >>>
    >>> Umm no..
    >>> Cobbled together wouldnt be 'stable'
    >>> Nice try though

    >>
    >> "Stable" is a relative term -- depends how many different machine
    >> configurations have been tested and under what operating conditions. And
    >> of course we'll never know, since everyone will be using the MS patch
    >> now.
    >> Nice try though
    >>

    >
    > Stable is what major Anti Virus companies termed it
    > Cutting corners in the original code is what caused the problem in the
    > first place
    > (the wmf vulnerability Im led to believe was caused by a bad call,
    > "Guilfanov's patch, which is hosted on several sites, blocks WMF exploits
    > by setting gdi32.dll's Escape() function so that it ignores any call using
    > the SETABORTPROC parameter.")
    >
    >>> Are you saying that Microsofts patches that have proven not to be
    >>> stable,
    >>> and have caused issues for end users are 'cobbled together' (Take a
    >>> close look at the furore sp2 caused)

    >>
    >> You're trying to change the subject -- nice try again, but I'm not going
    >> there. Suffice it to say that if ANY piece of software hasn't been
    >> throughly tested, then yes, I'd say it had been cobbled together.

    >
    >
    > not really... like with like.. patches are all about fixing errors in the
    > code
    >
    > This is an earlier patch from Microsoft that caused issues
    >
    > http://www.cfzone.net/showDetail.asp?TypeId=1&NewsId=11182
    > The problems occur after installing the patches Microsoft delivered with
    > security
    > bulletins MS05-038 and MS05-052. Both patches can cause problems with
    > ActiveX controls, small programs designed to perform a simple task that
    > can make a Web site more interactive. The MS05-038 patch can also hinder
    > Java applications. After the patches are installed, some applications will
    > no longer work in Internet Explorer!
    >
    > The MS05-052 patch causes the problem because it makes several changes to
    > Windows
    > meant to increase the security of the IE Web browser. After installing the
    > patch, IE will check for a special security setting called on ActiveX
    > controls. If the control does not have the setting, IE will block it.
    >
    > To resolve this issue, Microsoft advises developers to recompile an
    > affected ActiveX
    > control and mark it as safe when running it in an Internet browser.
    >
    > Testing missed that one?
    >
    > Theres a few more...
    > Which makes me ask .. again.. where do you draw the line, Microsofts OWN
    > patches have caused more issues than they have fixed in the past (In fact
    > I recall patches that recreated vulnerabilitys previously patched)
    >
    >
    >
    > --
    > lp1 on fire
    > (One of the more obfuscated kernel messages)
    >


    Which proves why testing is so critical.
    news.xtra.co.nz, Jan 5, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter
    Replies:
    5
    Views:
    1,239
  2. Replies:
    48
    Views:
    1,288
    Bill Tuthill
    Jan 10, 2006
  3. Jack

    Encountered WMF Vulnerability

    Jack, Jan 1, 2006, in forum: Computer Support
    Replies:
    10
    Views:
    666
    C. DelPlato
    Jan 2, 2006
  4. Dave Lear
    Replies:
    5
    Views:
    418
    Dave Lear
    Jan 6, 2006
  5. Rob J

    Windows WMF Vulnerability Patch Released

    Rob J, Jan 6, 2006, in forum: NZ Computing
    Replies:
    6
    Views:
    338
    Rob J
    Jan 7, 2006
Loading...

Share This Page