B
Bill Sanderson
http://www.microsoft.com/technet/security/bulletin/advance.mspx
Mike Nash's comments:
http://blogs.technet.com/msrc/
--
Mike Nash's comments:
http://blogs.technet.com/msrc/
--
Microsoft will release the WMF patch MS 06-001 at 2 PM Redmond time today
O
OldBoy
Yep, just got it
(Via Microsoft/Windows Update)
OldBoy
(Via Microsoft/Windows Update)
OldBoy
B
Bill Sanderson
Great--I've been getting it on every machine I've tried so far. It's a
quick patch--couple of minutes, perhaps even on a dialup--reboot required,
though.
--
quick patch--couple of minutes, perhaps even on a dialup--reboot required,
though.
--
OldBoy said:Yep, just got it
(Via Microsoft/Windows Update)
OldBoy
D
Donald Anadell
Hi Bill,
I suspect the package size is small because it only contains is a new version of GDI32.DLL.
The patch updated my GDI32.DLL file from version 5.1.2600.2770 to 5.1.2600.2818
Donald Anadell
I suspect the package size is small because it only contains is a new version of GDI32.DLL.
The patch updated my GDI32.DLL file from version 5.1.2600.2770 to 5.1.2600.2818
Donald Anadell
Bill Sanderson said:
B
Bill Sanderson
That's what the bulletin says--with variations for the 64 bit platforms on
which there are both 32-bit and 64-bit files, I think.
(I take that back--there's a helper file of some sort on XP and Windows 2000
versions of the patch)
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
which there are both 32-bit and 64-bit files, I think.
(I take that back--there's a helper file of some sort on XP and Windows 2000
versions of the patch)
http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
A
Anonymous Bob
Bill Sanderson said:
The update was there for me as soon as I got home from work this evening.
<g>
Here's some interesting commentary:
http://www.grc.com/sn/notes-020.htm
Three items of note:
1. Microsoft's fix disables the SetAbort call in GDI32.dll and therefore has
the same effect as the 3rd party fix from Ilfak Guilfanov (which can be
removed after the update).
2. The update doesn't address Windows 9x or ME.
3. You can listen to Ilfak at the link below:
http://media.grc.com/sn/SN-021.mp3
Now for an unsolicited opinion.<bEg>
Mr. Nash speaks of "customers" as if the corporate customer is the only
market that matters. I'm left with the feeling that consumers, such as
myself, are a secondary market. This fallacy here is that there is no such
demarcation in the real world. We all saw evidence of this in August when
the laptops of the on air personalities were spontaneously rebooting at CNN
and ABC due to the Zotob worm.
When it comes to security, there can be no such demarcation. Let's leave
that to marketing.
Very respectfully,
Bob Vanderveen
B
Bill Sanderson
Anonymous Bob said:
I haven't read the links yet, but I've definitely given some thought and
voiced some opinion about the issues you are speaking of here. I don't
believe that division is there in Mike Nash's mind. I do believe that
Microsoft's view of their customer base is weighted towards the corporate
side--those are the folks who have direct support from Microsoft.
On the other side are: OneCare Live, Safety.live.com, and Spynet--although
Spynet has a fair number of corporate machines on it as well. Also the
feedback they get via calls to 1-866-pcsafety.
Plun has opined that Microsoft was saving possible headaches for the
corporate many via sacrificing a few folks with predilictions for unsavory
sites. I can agree that the wait while the patch was tested certainly had
that effect.
OTOH, if the patch turned out to be "bad"--a few thousand or tens of
thousands of individual customers are a much bigger problem than a few
thousand corporate desktops, in terms of correcting the issue.
I don't think that Microsoft intentionally has that divide in their
thinking--I do think that their "view" of the problem is necessarily biased
toward the large corporate customers of themselves and their antivirus
partners. I hope that they are doing what they can to correct that
imbalance, and I'll certainly talk about it when it seems appropriate.
A comment like that would be fair game for Mike Nash's next public security
chat.
January 11, 9:30 AM pacific time
http://www.microsoft.com/technet/community/chats/default.mspx
I've taken part in these chats, and the ordinary person off the street does
indeed have a chance to get a word in edgewise. You may not get the perfect
candid answer you aim for--but you'll get heard.
A
Anonymous Bob
Bill Sanderson said:
Thanks for the link and schedule, but I'd have to take a day off work. :-(
You make several good points and corporations will always and legitimately
have a larger voice. (Computer user groups...UNITE! <g>)
This exploit wasn't a bug. It was a feature that's been there for 15 years..
It didn't require a visit to the dark side. A visit to the Knoppix web site
was enough:.
http://handlers.dshield.org/jullrich/wmffaq.htmls
"Is it sufficient to tell my users not to visit untrusted web sites?
No. It helps, but its likely not sufficient. We had at least one widely
trusted web site (knoppix-std.org) which was compromissed. As part of the
compromise, a frame was added to the site redirecting users to a corrupt WMF
file. "Tursted" sites have been used like this in the past."
Also here:
http://www.wired.com/news/technology/1,69953-0.html
"Many legitimate websites have also been hacked and comprised to deliver the
attack, according to Websense Security Labs, which was first to warn of the
vulnerability. Websense says the WMF code also is being exploited through
third-party banner ads on mainstream websites. And, like traditional Windows
threats, the bug can always be exploited by a malicious e-mail attachment."
Additionally, some printers were affected by the "fix". I believe it has to
do with canceling a print job. It remains to be seen if there's still a
problem in that area, but I imagine there is.
Getting back to the point, corporate and home users face the same threat
environment.
Bob Vanderveen
B
Bill Sanderson
Anonymous Bob said:
I'll see whether I can get there and ask that question--I think it's a good
one. I also think they are already aware of it, but maybe the answer will
be instructive, or maybe having the question on record will add weight to
the arguments of those within MS pushing for more weight towards the home
users. You never know.
That's bad. And perhaps it was a factor in the early release of the patch.
I saw statements like that from the antivirus vendors, but without
specifics, so it was hard to gauge what the impact might have been.
Check the first FAQ item in the patch KB article--it looks to me as though
they closed the hole for WMF file content, but not for use of the API by
other software--i.e. printer drivers.
Nearly. In some cases corporate firewalls prevent some issues that home
users are faced with. I liked your (?) mention of CNN anchors as an
example--it is quite likely that such "opinion leaders" have machines which
are not joined to a domain and carefully shielded and managed. So it would
behoove Microsoft to consider threats primarily from the perspective of such
individual machines. Perhaps that really is already true--that's another
question, or angle to the question, for Mike Nash. I'll see if I can
formulate something useful and get it asked.
P
plun
Bill Sanderson pretended :
Hi Bill
What I meant was not "corporate headaches" beacuse of no patch, all
corporate networks probably was protected with both definitions and new
firewall rules, really small risk beacuse this was spread from
Internets cloak to unprotected small busines users/home users or bad
protected school users.
But the risk propagate when IRC bots was included ie a PC become a real
Zombie.
And a Zombie army is much more dangerous to deal with, they can fire a
"nuclear bomb" against anyone to destroy Internet structure.
Nevertheless I believe it was a small risk for something bigger.
We will see alot in future with Systemwarnings and Spyaxes........
but that Ewido wipes away and Smitrem.
regards
plun
Hi Bill
What I meant was not "corporate headaches" beacuse of no patch, all
corporate networks probably was protected with both definitions and new
firewall rules, really small risk beacuse this was spread from
Internets cloak to unprotected small busines users/home users or bad
protected school users.
But the risk propagate when IRC bots was included ie a PC become a real
Zombie.
And a Zombie army is much more dangerous to deal with, they can fire a
"nuclear bomb" against anyone to destroy Internet structure.
Nevertheless I believe it was a small risk for something bigger.
We will see alot in future with Systemwarnings and Spyaxes........
but that Ewido wipes away and Smitrem.
regards
plun
B
Bill Sanderson
plun said:
I was sure I wasn't being perfectly accurate about your view--but I think I
agree with it, so I wanted to attempt to paraphrase it.
It's clear that the folks behind this outbreak are dangerous and hard to
catch.
I'm sure we will see more of them, too--however the fact that Microsoft was
able to build a picture of who hosted this exploit means that there's quite
a bit of information available to help keep tabs on them in the future.
P
plun
Bill Sanderson brought next idea :
Hi again
Yes they are, for example the URL I send to you and Andre
is registred in Russia.
Domain ID:XXXXXXX-LROR
Domain Name: "changed".ORG
Created On:19-Oct-2004 12:50:14 UTC
Last Updated On:04-Dec-2005 00:50:26 UTC
Expiration Date:19-Oct-2006 12:50:14 UTC
Sponsoring Registrar:Critical Internet Inc. (R1345-LROR)
Status:OK
Registrant ID
I_247520
Registrant Name:Alexander Morozov
Registrant Organization:Crutop
Registrant Street1:Volgogradsky prospekt, 16
Registrant Street2:
Registrant Street3:
Registrant City:Moscow
Registrant State/Province:
Registrant Postal Code:126003
Registrant Country:RU
Registrant Phone:+1.4156656387
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:webmaster at se-traf.com
But the registrant is in US.
This will be challenge and I believe if the worlds ISPs
tried even harder in cooperation with police to clean this mess
they will beat the bad guys hopefully.
regards
plun
Hi again
Yes they are, for example the URL I send to you and Andre
is registred in Russia.
Domain ID:XXXXXXX-LROR
Domain Name: "changed".ORG
Created On:19-Oct-2004 12:50:14 UTC
Last Updated On:04-Dec-2005 00:50:26 UTC
Expiration Date:19-Oct-2006 12:50:14 UTC
Sponsoring Registrar:Critical Internet Inc. (R1345-LROR)
Status:OK
Registrant ID
I_247520Registrant Name:Alexander Morozov
Registrant Organization:Crutop
Registrant Street1:Volgogradsky prospekt, 16
Registrant Street2:
Registrant Street3:
Registrant City:Moscow
Registrant State/Province:
Registrant Postal Code:126003
Registrant Country:RU
Registrant Phone:+1.4156656387
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:webmaster at se-traf.com
But the registrant is in US.
This will be challenge and I believe if the worlds ISPs
tried even harder in cooperation with police to clean this mess
they will beat the bad guys hopefully.
regards
plun
A
Anonymous Bob
plun said:
There has to be a balance of freedom and responsibility. Certainly the days
when computer crime was regarded as 13 year old kids having fun are gone.
What we're seeing now is serious and without a proactive response we could
loose the internet. I'm sure there are many who will say I'm overstating or
exaggerating the problem, but the internet must survive as a *commercial*
medium. If it isn't a *trusted* medium its future is in doubt.
Bob Vanderveen
B
Bill Sanderson
Anonymous Bob said:
I don't think you are overstating this. And the same kinds of
civil-liberties issues are present in this area of life as well--we want a
crackdown on the genuine bad guys, but we don't want restrictions on our own
harmless activities--port restrictions by ISP's are quite unpopular, for
example.