Microsoft patch for WMF vulnerability

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Microsoft have published a patch for the Windows WMF vulnerability,
available via Windows Update. Seems they've decided to put it up earlier as
we're all complaining we want it NOW and not later

Follow Internet Explorer->Tools->Windows Update and follow the prompts to
install the patch.

Source:
http://sunbeltblog.blogspot.com/2006/01/flash-microsoft-going-out-of-cycle-to.html

Cheers

Adam Piggott,
Proprietor,
Proactive Services (Computing)
http://www.proactiveservices.co.uk/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD4DBQFDvX6t7uRVdtPsXDkRAri+AJjLCitnEAzsm3l/cYWDd2JTmr8bAKCLAPBJ
PHVgQSggPmqBQUt9GTCAuA==
=QeRf
-----END PGP SIGNATURE-----

 

[Heather]

Microsoft have published a patch for the Windows WMF vulnerability,
available via Windows Update. Seems they've decided to put it up >earlier
as we're all complaining we want it NOW and not later

Microsoft has released this Bulletin re the patch availability.

Please note that it will not be released until 2 pm today PST.....which is 5
pm here on the Eastern Seaboard.

http://www.microsoft.com/technet/security/bulletin/advance.mspx

Thanks to Mike Maltby, MVP for posting this on the WinME news groups.

I just checked Windows Update and the following is ready for download now.
I can only assume that is the above-mentioned one.

Security Update for Windows XP (KB912919)

Cheers....Heather

 

[Todd H.]

Microsoft has released this Bulletin re the patch availability.

Please note that it will not be released until 2 pm today PST.....which is 5
pm here on the Eastern Seaboard.

http://www.microsoft.com/technet/security/bulletin/advance.mspx

Good deal. I'm glad they decided to push the availability date up.
Kudos to them for listening to their screaming customers.

 

[Art]

Microsoft have published a patch for the Windows WMF vulnerability,
available via Windows Update. Seems they've decided to put it up earlier as
we're all complaining we want it NOW and not later

For Win 2K and later. From the FAQ concerning Win 9X/ME:
*************************************************
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
and Microsoft Windows Millennium Edition (ME) were previously
listed as affected, but are no longer listed. Why is that?

Although Windows 98, Windows 98 Second Edition, and Windows
Millennium Edition do contain the affected component, at this
point in the investigation, an exploitable attack vector has
not been identified that would yield a Critical severity rating
for these versions. Per the support life cycle of these versions,
only vulnerabilities of Critical severity would receive security
updates.
*************************************************
I've installed the NOD32 fix on my Win ME PC, and it looks like
it will stay

Art

http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "Art" <[email protected]>


|
| For Win 2K and later. From the FAQ concerning Win 9X/ME:
| *************************************************
| Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
| and Microsoft Windows Millennium Edition (ME) were previously
| listed as affected, but are no longer listed. Why is that?
|
| Although Windows 98, Windows 98 Second Edition, and Windows
| Millennium Edition do contain the affected component, at this
| point in the investigation, an exploitable attack vector has
| not been identified that would yield a Critical severity rating
| for these versions. Per the support life cycle of these versions,
| only vulnerabilities of Critical severity would receive security
| updates.
| *************************************************
| I've installed the NOD32 fix on my Win ME PC, and it looks like
| it will stay
|
| Art
|
| http://home.epix.net/~artnpeg

I'm with you Art !

 

[=?ISO-8859-1?Q?=BBQ=AB?=]

For Win 2K and later. From the FAQ concerning Win 9X/ME:
*************************************************
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
and Microsoft Windows Millennium Edition (ME) were previously
listed as affected, but are no longer listed. Why is that?

Although Windows 98, Windows 98 Second Edition, and Windows
Millennium Edition do contain the affected component, at this
point in the investigation, an exploitable attack vector has
not been identified that would yield a Critical severity rating
for these versions. Per the support life cycle of these versions,
only vulnerabilities of Critical severity would receive security
updates.
*************************************************
I've installed the NOD32 fix on my Win ME PC, and it looks like
it will stay

Steve Gibson has said he'll write one for 9x/ME. I assume he'll make
the source available so others can check it, but I'm not sure. In the
meantime, I'll certainly stick with the NOD32 patch.

 

[louise]

Steve Gibson has said he'll write one for 9x/ME. I assume he'll make
the source available so others can check it, but I'm not sure. In the
meantime, I'll certainly stick with the NOD32 patch.

I installed the fix on Gibson's site.

I'm nervous about trusting a Microsoft patch that they
rushed out to say they fixed it fast. Many of their "fixes"
have been to known to be very problematic.

Any thoughts on leaving the Gibson patch and waiting for the
Microsoft patch to be be tested in real life?

TIA

Louise

 

[David H. Lipman]

From: "louise" <[email protected]>


| I installed the fix on Gibson's site.
|
| I'm nervous about trusting a Microsoft patch that they
| rushed out to say they fixed it fast. Many of their "fixes"
| have been to known to be very problematic.
|
| Any thoughts on leaving the Gibson patch and waiting for the
| Microsoft patch to be be tested in real life?
|
| TIA
|
| Louise

Their fix is a replacement of gdi32.dll. That's it. I think itt can be trusted until
someone else finds a vulnerability and exploits it. This goes back to Gdiplus.dll...

Microsoft Security Bulletin MS04-028
Buffer Overrun in JPEG Processing Could Allow Code Execution (833987)
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

 

[Boris Mohar]

From: "Art" <[email protected]>


|
| For Win 2K and later. From the FAQ concerning Win 9X/ME:
| *************************************************
| Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
| and Microsoft Windows Millennium Edition (ME) were previously
| listed as affected, but are no longer listed. Why is that?
|
| Although Windows 98, Windows 98 Second Edition, and Windows
| Millennium Edition do contain the affected component, at this
| point in the investigation, an exploitable attack vector has
| not been identified that would yield a Critical severity rating
| for these versions. Per the support life cycle of these versions,
| only vulnerabilities of Critical severity would receive security
| updates.
| *************************************************
| I've installed the NOD32 fix on my Win ME PC, and it looks like
| it will stay
|
| Art
|
| http://home.epix.net/~artnpeg

I'm with you Art !

While stumbling around on MS website looking for the bloody update I finally
ended up wit this message:

"Thank you for your interest in obtaining updates from our site.

To use this site, you must be running Microsoft Internet Explorer 5 or later.

To upgrade to the latest version of the browser, go to the Internet Explorer
Downloads website."

WTF? Does this mean that I cannot update without IE? I am using Firefox.

 

[David H. Lipman]

From: "Boris Mohar" <[email protected]>


|
| While stumbling around on MS website looking for the bloody update I finally
| ended up wit this message:
|
| "Thank you for your interest in obtaining updates from our site.
|
| To use this site, you must be running Microsoft Internet Explorer 5 or later.
|
| To upgrade to the latest version of the browser, go to the Internet Explorer
| Downloads website."
|
| WTF? Does this mean that I cannot update without IE? I am using Firefox.
|

Almots...

KB912919
http://www.microsoft.com/downloads/...96-57ae-499e-b89b-215b7bb4d8e9&DisplayLang=en

 

[Peter Seiler]

Heather - 05.01.2006 21:30 :

I just checked Windows Update and the following is ready for download now.
I can only assume that is the above-mentioned one.

Security Update for Windows XP (KB912919)

yes should be. I downloaded from the M$ site.

 

[Art]

While stumbling around on MS website looking for the bloody update I finally
ended up wit this message:

"Thank you for your interest in obtaining updates from our site.

To use this site, you must be running Microsoft Internet Explorer 5 or later.

To upgrade to the latest version of the browser, go to the Internet Explorer
Downloads website."

WTF? Does this mean that I cannot update without IE? I am using Firefox.

Why not use IE6 for Windows Update? You don't have use it for anything
else, or make it the default browser. Since getting all patches is
important, using IE and WU is really the only way to go.

Art

http://home.epix.net/~artnpeg

 

[Boris Mohar]

From: "Boris Mohar" <[email protected]>


|
| While stumbling around on MS website looking for the bloody update I finally
| ended up wit this message:
|
| "Thank you for your interest in obtaining updates from our site.
|
| To use this site, you must be running Microsoft Internet Explorer 5 or later.
|
| To upgrade to the latest version of the browser, go to the Internet Explorer
| Downloads website."
|
| WTF? Does this mean that I cannot update without IE? I am using Firefox.
|

Almots...

KB912919
http://www.microsoft.com/downloads/...96-57ae-499e-b89b-215b7bb4d8e9&DisplayLang=en

Thank you Sir.

 

[Luke]

For Win 2K and later. From the FAQ concerning Win 9X/ME:
*************************************************
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE),
and Microsoft Windows Millennium Edition (ME) were previously
listed as affected, but are no longer listed. Why is that?

Although Windows 98, Windows 98 Second Edition, and Windows
Millennium Edition do contain the affected component, at this
point in the investigation, an exploitable attack vector has
not been identified that would yield a Critical severity rating
for these versions. Per the support life cycle of these versions,
only vulnerabilities of Critical severity would receive security
updates.
*************************************************

And "Critical severity" is defined by MS as:

http://www.microsoft.com/technet/security/bulletin/rating.mspx

"The Severity Rating System

The severity rating system provides a single rating for each
vulnerability. The definitions of the ratings are:

Rating Definition

Critical A vulnerability whose exploitation could allow the
propagation of an Internet worm without user action."

In English: If you have to click AND it isn't a worm it ain't
Critical.

I've installed the NOD32 fix on my Win ME PC, and it looks like
it will stay

Same here. May substitute Steve Gibson's patch when he releases it.

--
Luke
______________________________________________________________________
"Warrants? We ain't got no warrants. We don't need no warrants. I
don't have to show you any stinkin' warrants."
-- George W. Bush, December 18, 2005

 

[Steve Pope]

Microsoft has revised its webpage for Security Advisory 912840
to point to the new patch.

Unfortunately, this means they have removed from their site
the information on how to un-do the regsvr32 -u command they were
telling you to perform a couple days ago.

Steve

 

[Todd H.]

Microsoft has revised its webpage for Security Advisory 912840
to point to the new patch.

Unfortunately, this means they have removed from their site
the information on how to un-do the regsvr32 -u command they were
telling you to perform a couple days ago.

Luckily it's simple. Just drop the -u.

 

[Steve Pope]

(e-mail address removed) (Steve Pope) writes:

Luckily it's simple. Just drop the -u.

Yes thanks.

Steve

 

[Sean Cousins]

I've installed the NOD32 fix on my Win ME PC, and it looks like
it will stay

Art

What's the NOD32 fix? I need it for my other PC which is running
Win98SE. Thx.

 

[Sean Cousins]

Their fix is a replacement of gdi32.dll. That's it.

Does that mean if I was to run "sfc /scannow" it would replace the new
version with the old version?

 

[Art]

What's the NOD32 fix? I need it for my other PC which is running
Win98SE. Thx.

http://www.nod32.ch/en/download/tools.php

Art

http://home.epix.net/~artnpeg