Wait for Windows patch opens attack window

(continued from previous page)

Marx agreed. "As the vulnerability is already known, Microsoft should make this patch available now," he said. System administrators could do their own testing and then apply the patch, Marx and Ullrich said.

Increasingly sophisticated computer code that exploits the Windows flaw has been made publicly available, Symantec said. In response, the security provider raised its ThreatCon global threat index to Level 3.

Microsoft, however, said the threat is limited. "Although the issue is serious, and malicious attacks are being attempted, Microsoft's intelligence sources indicate that the scope of the attacks is not widespread," the software maker said in its advisory.

Calculating potential cost
Whether to issue the fix sooner rather than later has to be a matter of risk analysis, CA's Curry said. "They have to balance out what the risk involved with not having a patch for a day or two days is, versus not testing all scenarios. The only thing they could do worse than delaying a patch is if they bring out a bad patch," he said.

Part of the problem is that the Microsoft's software is complicated and vulnerable to unintended side effects of patches, Quandt said. If the company sends out a fix prematurely, the update could cause bugs that affect the normal operation of systems, she said.

Related story
Windows flaw spawns dozens of attacks

Attacks designed to exploit WMF flaw range from malicious spam to MSN Messenger worm.

Beyond this single instance is what appears to be a wider problem with WMF files, said John Pescatore, a Gartner analyst. Other flaws related to WMF have been put right in recent months, he noted.

"I hope Microsoft is going to fix the underlying problem in how WMF files are handled," he said. "We need a stronger fix, so that we're not going to see another vulnerability like this one two weeks from now."

While Microsoft is testing its patch, users can protect themselves with an unofficial, third-party fix. In an unusual move, some security experts are even recommending that people apply this solution while waiting for Microsoft to deliver the official update.

"We carefully checked this patch and are 100 percent sure that it is not malicious," the SANS Institute's Ullrich said. "The patch is, of course, not as carefully tested as an official patch. But we feel it is worth the risk. We know it blocks all exploit attempts we are aware of."

F-Secure, an antivirus company in Finland, has also tested the fix, created by Ilfak Guilfanov, a programmer in Europe. "We've tested and audited it and can recommend it. We're running it on all of our own Windows machines," said Mikko Hypponen chief research officer at F-Secure.

But Microsoft cautions against Guilfanov's patch. "As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software," Microsoft said.

At least one user has reported difficulties after installing the fix. The update can cause network printing problems, according to an e-mail sent to the Full Disclosure security mailing list.

While some critics have given Microsoft's response to the WMF flaw a failing grade, the company has also gained some respect for its handling of the issue.

"Everybody would like to see the patch as soon as possible, but I can't blame Microsoft for wanting to test it thoroughly," Hypponen said. "However, if a widespread worm is found before next Tuesday, I do believe they will break the cycle and just release the patch."

As the official January patch day is only next week, the length of the wait for the update is fine, Gartner's Pescatore said.

"If we were three weeks, or almost four weeks from the next regular patch cycle, it might be a different story," he said. "This close, most enterprises don't want to go through one patch this week and another next week."

Still, Gartner is urging people to protect themselves while waiting for Microsoft's fix--by blocking access to known malicious sites, for example, Pescatore said. Microsoft also offers some workarounds in its advisory.

[Annette Snow]

ANOTHER SERIOUS WINDOWS FLAW? UNBELIEVABLE!

I can but shake my head in disbeilief when people continue to
put up with this 'planned obselecence' marketing strategy. Who
do you think creates these viruses ad nauseum, patches it, then
forces you to buy a whole new system? Buy a MAC, or at least
shop around for alternative OS's and boycott Micro$oft. Support
the competition before this monopoly swallows us all up
completely!

[unknown unknown]

RE:

"I can but shake my head in disbeilief when people continue to put up with this 'planned obselecence' marketing strategy."

Planned obselecence is part of how commerical software makes money. Vendors eventually stop supporting old software and hardware(Apple does it to). It's just not feasble for them to continue to support old software and hardware forever. If they did they'd be so tied up with old stuff they'd never develop anything new. Even open source projects move on eventually.


"Who do you think creates these viruses ad nauseum, patches it, then forces you to buy a whole new system?"

Conspiracy theories aren't particularly useful.

[eSchmeltzer]

Ban Mircrosoft

Google is coming out with an OS. I will be looking at that very seriously. In the meantime, I have a few extra hard drives, and am experimenting with Linux.

[Zymurgist]

Why Unbelievable?

IIRC Ballmer had indicated during the hullabaloo
about Microsoft's new religion of security that
the Windows XP developers had flagged 70,000
known security issues in the operating system
(it'll take some Googling, but you ought to be
able to find it). In a typical year, 1000-2000
of those become public, and about 50% are fixed
(those given higher criticality ratings).

I'm pretty sure all of this is pretty much
understood at this point. You aren't buying MS
products for security, and prudent users / IT
managers simply recognize this sort of thing as
part of the cost of using the product -- like
the maintenance costs on a car.

Don't like it? Get a different car or go for a
boat... There's still costs involved, and
perhaps you need to change the way you drive,
but maybe something different is what you need.
Then again, maybe not -- perhaps the cost is
reasonable if it truly is the only model that
satisfies your needs.

[val31]

PROBLEMS?

AS WE ALL KNOW, ALL MECHANICAL EQUIPMENT WILL FAIL AT ONE POINT OR ANOTHER.. THIS SHOULD NOT COME AS SUCH A SUPRISE TO ANYONE!

[Richard Gilbertson]

Windows Patch for Security hole

I work IT normally and use a PC and Mac at home. Yet one more of
a thousand reasons I love my Mac more than my PC. My PC is WORK
at home (even gaming), and WORK at WORK. My Mac is fun at home
and could be used at work if everything was not bug infested.

[wakizaki]

Hey, It's Window$

What do you expect?! :)) Windows and Security never mix :))

[n3td3v]

HOLD MICROSOFT RESPONSIBLE FOR YOUR COMPROMISED MACHINES

I e-mailed Microsoft earlier to complain of this very critical situation, created by Microsoft's very slow push-out of a patch. A representative at Microsoft's security address replied to confirm they had got my message. Will They be pro-active and actually release a patch before the end of the week? http://groups.google.com/group/n3td3v/browse_thread/thread/e67228a04c34d6ee

[n3td3v]

HOLD MICROSOFT RESPONSIBLE FOR YOUR COMPROMISED MACHINES

I e-mailed Microsoft earlier to complain of this very critical situation, created by Microsoft's very slow push-out of a patch. A representative at Microsoft's security address replied to confirm they had got my message. Will They be pro-active and actually release a patch before the end of the week? http://groups.google.com/group/n3td3v/browse_thread/thread/e67228a04c34d6ee

[Hernys]

You know...

It's not that easy. A fix that's going to change how a very widely used component of the operating system works, and that's going to be used on about a billion machines running a few million different applications should be thoroughly tested. I don't see why Microsoft would hold the patch unless it's for testing purposes. If the patch was ready it would be out there, it wouldn't be the first time Microsoft released an out of cycle patch.

[CoachWT]

Microsoft is more responsible than Apple/Open Source

There are just as many exploits on Unix/Linux/Mac. Check the SANS Institute web site.
This is all F.U.D..
This flaw was discovered over a month ago and there has not been one computer infected.

Microsoft is currently providing protection from this flaw. Install Windows OneCare from the download site.

Microsoft Notice:
A security vulnerability in Windows could allow malicious software to infect your computer when opening an infected graphic or a malicious Web site. Microsoft is working on a patch, but Windows OneCare is protecting you now from known viruses using this flaw. As long as your Windows OneCare status remains 'green' or 'yellow' while you're connected to the Internet, Windows OneCare is protecting you. If your status is 'red' (at risk), please either take the requested action or go to the Help Center.

Advisory: 0.0.0.8
Release date: 01/03/2006

[adeptblue]

Web Bugs

Want to really get scared? Download BUGNOSIS from the Privacy Foundation to see how many sites you visit have Web Bugs (Including C|Net).

That's right, this site uses Web Bugs !!

Roger

[The user with no name]

hahah and cnet article

http://news.com.com/2100-1017-243077.html?tag=tb

makes you wonder what kind of schizophrenic place this is.... oh look these are bad....oh look lets use them!

makes me wonder about this site more and more...

[CoachWT]

Microsoft is providing protection from flaw

Install Windows OneCare

A security vulnerability in Windows could allow malicious software to infect your computer when opening an infected graphic or a malicious Web site. Microsoft is working on a patch, but Windows OneCare is protecting you now from known viruses using this flaw. As long as your Windows OneCare status remains 'green' or 'yellow' while you're connected to the Internet, Windows OneCare is protecting you. If your status is 'red' (at risk), please either take the requested action or go to the Help Center.

Advisory: 0.0.0.8
Release date: 01/03/2006

[Bill Dautrive]

wow

What a fan boy. One care is a protection racket. Who else would have the eggs to charge for protecting something that they cause, other then the mob and MS.

[aabcdefghij987654321]

Another day, another Microsoft virus

Need I say more?

[jypeterson]

Ma and Pop Computer Users are Most at Risk

I am in the same camp as some of the other commentors here. I use a Windows machine at work and a Mac at home. I am so thankful that my Mac is unaffected.

Microsoft needs to held ultimately responsible...

[CoachWT]

Responsible for what ...

There are just as many exploits on Unix/Linux/Mac. Check the SANS Institute web site.
This is all F.U.D..
This flaw was discovered over a month ago and there has not been one computer infected.

Microsoft is currently providing protection from this flaw. Install Windows OneCare from the download site.

Microsoft Notice:
A security vulnerability in Windows could allow malicious software to infect your computer when opening an infected graphic or a malicious Web site. Microsoft is working on a patch, but Windows OneCare is protecting you now from known viruses using this flaw. As long as your Windows OneCare status remains 'green' or 'yellow' while you're connected to the Internet, Windows OneCare is protecting you. If your status is 'red' (at risk), please either take the requested action or go to the Help Center.

Advisory: 0.0.0.8
Release date: 01/03/2006

[SvnX]

Defense?

I have a question that's been eating at me for a long time. With all of these security exploits that continue to come out...at what level of concern should a person be who is

1) Using Firefox as their primary browers
2) Using Zonealarm for: Firewall, Antivirus and Anti-Spyware
3) and also using as secondary measures: AVG-Antivirus, Spybot, M$'s Anti-spyware and Ad-aware

So...with all of this protection...should I be 'oh my God' type of fear or just 'umm..think I'll be just a little more cautious' type of mood?

[nightveil]

Caution is always a good policy

Even with all of that protection, you should always be cautious. A
little healthy paranoia keeps you from having to deal with these
issues.

Keep your stuff updated and run it regularly and you'll more than
likely be fine.

[Mutex]

I hate to worry you,

but none of those things will protect you from a brand new exploit of this WMF bug. It's doesn't matter what browser you use, what anti virus you have, what firewall you have... You view a malicious WMF it'll compromise your machine. Until MS release the patch.

But just stick to websites you know and trust and you'll be fine. You have to view a dodgy website where the owner has purposely put a malicious WMF. You won't get infected reading CNet for example.

[Zymurgist]

You should be concerned....

Firefox really has no bearing on it, nor does
ZoneAlarm (per se -- ZoneAlarm will catch
network traffic from malware after it's been
installed). So far, none of the antivirus and
antispyware vendors have a fix. AdAware would
help if it's deployed in a banner ad.

The issue lies in a library shared by several
applications and system services. The method of
exploit is actually there by design -- which is
probably why it's taken so long to respond, to
verify that no legacy software is dependent on
the functionality.

One point of concern for you might also be the
overhead imposed by running ZoneAlarm, Spybot,
AdAware, and MS Antispyware. The memory
resources used vary quite a bit, but you're
sacrificing hundreds of megs of disk space and
20-30% of your CPU power running that stuff
(maybe more). Running those programs has a very
perceptible affect on the performance of your
computer.

[dragonbite]

The sky is falling the sky is falling ... let's blame Microsoft!

Sheesh, love how an article about Microsoft brings out the "shiny-box people" (Mac users)!

The summary of the article is :

... A flaw has been found for Windows and some people are whining to get this patch they think is some miricle cure out to the public before anybody has had a chance to finish testing it because they feel as if Microsoft "owes it to them". ...

Do these people promise to NOT say anything negative about Microsoft if the patch comes out whether or not it doesn't work on some systems because it wasn't fully tested? Would these same people turn around and sing praises of Microsoft for their "quick turn-around"?

um, no.

It's so easy to blame Microsoft and want things to to be fixed yesterday but that doesn't change the fact I don't have a clue what's going on inside the Redmond campus right now. Are they playing tiddly-winks, or wearing their finger nails down typing like mad?

Macs can have, what, millions of configurations? That's still well behind the number Microsoft has to prepare for and is one factor in Apple's ability to build a more secure and stable OS (and re-writing it from scratch helps).

In a project management book I'm reading there are a number of examples going over how shrinking the proposed development time actually causes it to take longer and produce more bugs.

While waiting for the patch to come out, wouldn't it be nice to have a place list the infected websites so they can be avoided?

I use Windows at work, and Linux at home. Both systems work just fine.

[Earl Benser]

Maybe you should take the time...

... to figure out what you are talking about.

Okay, so lots of people are over reacting about MS's security
problems. But, it's not like those problems are in any way new.
Or that they will actually get fixed.

And you are right that with no standardization in the PC world,
MS has a major problem in managing an OS. I've always said that
it's a miracle that Windows runs at all. The fact that it runs badly
is almost unavoidable, except for the MS marketing impact.'

And yes, Apple has an advantage in cleaning out the old code
and writing a new OS twice now in the past ten years or so. But
then Apple has the advantage in selecting both the OS and the
processor, as well as the motherboard design. MS can only work
the OS design, and then is less concerned about writing an OS
than they are about hanging on to their marketing position. So
MS jams every app they can find into their OS, and that just
compromises the h--- out of OS design and security. Apple
went with independent apps and a separate OS, and it works.
Too bad MS couldn't figure that one out. I'd have much better
running PC's in my system.

Linux is also a fairly good option, but I have yet to find Linux
apps that can actually replace MS Office Pro on the PC. And even
then, MS Office runs better on my Mac's than it does on my PC's.

[Mister C]

Very Interesting!

This seems to be showing up more and more. It used to be ?WINDOZE is way better than Linux!? As of late it has morphed to ?Windoze is as good as Linux."

Are we seeing the beginning of a paradigm shift?

[chrisx1]

Patch delay

They have to take the next week to test the patch.
If the patch has problems, Microsoft will face criticism.

[CA1900]

Stop putting up with Windows!

I feel for my friends with Windows machines. I really do. Why do you keep putting up with it?

http://www.apple.com/macosx/features/security/

[Rolndubbs]

yeah...

I put up with windows at work because it is a necessity, since the apps used don't run on any other OS. I put up with windows at home because my laptop, which is 1.5 years old, is still faster than any powerbook around. I put up with windows because my media center acts as a tivo with no monthly cost, something Mac's can not do.(I guess I could pay $2 per episode for low quality downloads of some shows, but that would just be stupid.) Oh, and I play games on my gaming rig, something Mac's obviously can not do. So in short, if you want options, I guess you have to "keep putting up" with windows. If you want to be told what hardware to use, and have very limited options, then by all means switch.

[Seaspray0]

Why I put up with it

Just remember you asked the question...

I put up with windows for a good reason. I can get software that isn't available on mac or linux. Yes, the mac is a fine machine and runs nice, but when you have less than 5% of the market share, you don't have software vendors willing to write for it.

[rcrusoe]

Second Class System

Microsoft is fast becoming a second class system in some
companies. Few businesses can afford to get rid of Microsoft
completely but I'm finding that some are now starting to put
their vulnerable Windows computers on a separate network
segment.

Doing that allows them to prevent their Windows users from
reaching the Internet, email, etc. and most importantly prevents
their Windows computers from being a source of attacks on the
rest of their network.

It's time for Microsoft to concentrate on X-Boxes instead of
trying to deliver a secure operating system. At least they have a
chance of success with the X-Box.

[Seaspray0]

rubish

"but I'm finding that some are now starting to put their vulnerable Windows computers on a separate network segment. Doing that allows them to prevent their Windows users from reaching the Internet, email, etc."

Oh really? I haven't seen a business network yet where the PC's weren't on a seperate network segment... and you're just finding this out? Without doing this, the company would have to provide a public IP address for every PC on their network. You bet you can control access... through a proxy server. Many companies do it to control access to the internet, email (internet email like aol and msn), etc. I don't know of many companies where internet email access IS authorized (employees do not have a right to their private email on work PC's) and companies do have a right to restrict access to websites (no porn, etc). This is how things have been for ages and it's not just a microsoft thing; all client PC's get this treatment reguardless of the operating system.

Try and tell me that both MAC and Linux don't get viruses and then go online are research for yourself how many security issues are currenly reported. If you're going to write comments like you did, you better include every operating system out there... "ALL operating systems are fast becoming a second class system..."

The only operating system I've found that couldn't get a virus was embedded on a ROM chip.

[eSchmeltzer]

File Types for WMF

I have read all I can on the flaw, and I changed the File association for WMF to NOTEPAD so the picture will not execute as an image file, instead will open up note pad. The simple tests I made worked, and notepad was opened.

Is this all we might have to do for this particular threat?

[Oscar Rat]

Why not simplify it?

Forget all that crap about a thousand and one ports. At some point, there is only one circuit letting data enter and leave your computer. That is the obvious point to check data.

Why doesn't someone build a program to monitor it and check all input and output? Something Microsoft or another company can easily update?

It would slow the computer down, but so do all the patchwork programs to check for and stop Malware. I would imagine that all Malware has some sort of signature.

There are programs that record everything going in or out. I have one that does that. Why not program one to checks checks for Malware and stops it or asks for your permission?

Maybe I'm old fashioned, but I have no need for things like Java or Active-X. I keep them turned off and have no real problems. I can't get on a few sites, but nothing crucial to my normal use. If others felt the same, it would be used less by web sites. The pretty pitchers ain't worth the aggravation.

Why would I need an email client that handles HTML in the first place? Like the other two, I don't use it or need it.

Microsoft has too many such ports, many reserved for its own use. They should be blocked or eliminated. Personally, I think Microsoft has plans to get into the placing of ads itself. From past experience, when have they missed an opportunity to make money? I wouldn't doubt that they're collecting information on our viewing habits at this very moment.

I would never buy anything from an unsolicited ad. At the most, it might remind me of something I want to purchase. In which case I would do a search and pick the best place to buy it myself, certainly not simply clicking an ad. There has to be something to it though, since a lot of people do.

Oscar Rat

[Bob Brinkman]

they do

It's known as a firewall.

[Zymurgist]

Not practical, technically.

It's true that you could inspect all data coming
through a network channel, but it's not
technically feasible. Why? Because you'd need to
assemble the incoming packets,
decode/decrypt/uncompress chunks of data that
are arbitrarily compressed/encrypted, then
compare that chunk of data to a database of
fingerprints (which is nothing but an array of
regular expressions). While that's conceivable
(right down to being the "man-in-the middle" for
SSL traffic), you'd need to do it at line-speed
(the speed of the incoming traffic).

You wouldn't be able to pull it off using the
host-CPU at anything near ethernet speeds, you'd
probably need to throttle the connection speed
back to that of a conventional modem, maybe
slower. It's still computationally cheaper to
identify contexts where there's risk and address
those (and restrict yourself to exploits
relevent to the context -- such as a macro in a
word document). Why unzip a file to search for
viruses right away when you can defer that
action (and the penalty of the search procedure)
until the zip file is about to be opened?

Understand too, that some of the underlying
causes and design flaws of Windows (not all mind
you, just some) are addressed in Microsoft's
upcoming Vista. There are some basic security
practices that have been around for 20 years
that will see their first formal implementation
in Vista (like LUA). Vista won't solve all the
problems (like the WMF exploit), particularly if
nobody shells out the cash for it, but it will
go farther than anything Microsoft has done
before.

I read that this works

"disabling .WMF file handling: First, users should click on the Start button on the taskbar. Then they should click on Run, type "regsvr32 /u shimgvw.dll," and click "Ok" when the change dialog appears."

Haven't tried it myself yet as I don't use XP at home

[SmartITGUY]

Microsoft Should not be allowed to profit from this...

You KNOW, Microsoft will use this flaw to leverage users into buying new software. They will ONLY patch Windows XP, and anyone using Windows 2000 or older, who wants their systems fixed or made more secure will be FORCED to buy WIndows XP.
In alot of cases this will force people to have to buy new hardware.

So far Microsoft has seen surges in sales of Windows XP for every flaw and exploit that has come out. THIS IS VERY WRONG! Microsoft should not be rewarded for poor programming. What's to stop them from deliberately creating flaws and vulnerabilities to increase sales.

The LAW needs to step in and FORCE Microsoft to patch "EVERY" version of Windows that is affected by this flaw... AT NO COST TO THE USER.

[Charleston Charge]

Surge in sales???

MS still provides patches for 2000 and I believe still for 98. Many people still have not upgraded to XP because 2000 still works and is supported by MS.

[Stating]

Google Products Never Get Out Of Beta

Google mail is still in beta and it has been over a year now. How on earth would they be able to release a PRODUCTION OS within this decade?

[The user with no name]

Google O/S info

The long talked about and anticipated Google O/S is soon to be offered in Beta.

Download links be sent to google mail accounts (sorry if you dont have a google mail account or have never been sent an invite for one you are s.o.l)

The O/S is being called Giggle
Once you have installed Giggle you will have access to all of the Giggle multimedia products
(Giggle viewer, Giggle media player, and a new desktop search called Giggle This.) As well as an integrated competition to Office called, amazingly enough (lol) Giggle At Work

registered Giggle OS users will however be able to send out giggle invites to their friends whereby they too can download the GiggleWare and make the switch to what certainly will be the OS with the most smiles.

Bad news is that just like Google Mail the OS tracks you like a Wild Animal and keeps records of everything you do, see, and send even when you have deleted these records. The kept records will only be used for the purposes of being able to figure out how to sell you more useless **** as well as revenue streams for 3rd party marketeers.

AND JUST TO STOP THE LAWYERS FROM KNOCKING ON MY DOOR... THIS WAS ALL JUST FAIR USE UNDER THE GUISE OF A PARODY OF THE REAL AND ACTUAL GOOGLE COMPANY. AND AS STAUNCH DEFENDERS OF FAIR USE (SEE THEIR BOOK SCANNING PROJECT) THIS DISCLAIMER SHOULD SUFFICE TO PROTECT ME.

lol

[markdoiron]

Try Here for the Patch

all the sites hosting this patch are very, very busy. here's a link to a washington post article with a link in it to a site that has quite a few mirrors for the patch. i'd provide that link, but if you're like me you consider that might be an attempt at infection in and of itself!

http://blogs.washingtonpost.com/securityfix/2006/01/unofficial_patc.html

i figure you folks will trust the washington post. well, at least on tech (if not on politics!).

mark d.