WMF Exploit!!!! Install this patch now!

[Tom Porterfield]

And you don't see the difference?

Of course I see the difference. Where did I say I didn't see the
difference? I also never said I agree or disagree with the MS policy.
I simply stated their policy.
--
Tom Porterfield
MS-MVP Windows
http://support.teloep.org

Please post all follow-ups to the newsgroup only.

 

[jt3]

What I understand from reading about it is that it isn't a flaw, precisely,
but is due to the way the .WMF format is designed--to allow callbacks, and
that's the reason for the 'door' into GDI32.DLL that causes the problem. In
other words, it was designed to do that, and as such allows unauthorized
access to your machine. The unofficial patch just blocks that route.

The actual problem is not shimgvw.dll. Rather there is a flaw in the
GDI32.DLL that is enabling this exploit.

GDI32.DLL handles virtually ALL graphics calls in Windows, so disabling it
would not be advised.

Jim

 

[Michael Stevens]

In

Because in larger installations, patches need to be tested. It's far
easier to intall a series of patches once a month and test and deploy
them, than to have to go through that cycle several times a month. It
also allows me to have my users leave their computers on overnight
only once a month.

Sorry I missed your post, IT's should not be compelled to change the
critical update schedule because a critical update is issued as an emergency
release, if they are already covered the threat by other security measures.
But as an IT, why could they not understand why you would want your network
unprotected from a potential threat that could be timed to coincide with the
MS update schedule. What is so hard to think a potential threat would not be
released immediately after the scheduled MS critical update and would not be
addressed until the next scheduled update?
The policy of releasing updates only on scheduled dates is very flawed
thinking, and I guess MS got the message this time because they released the
update 5 days early, but probably 5 days later than the could and should
have.
It is time for someone at Microsoft to get a handle on reality and realize
the XP OS is a target for every hacker with malicious intent to find any
hole in any aspect of the system and plug the hole as soon as it is
breached. This is what Linux distros do, and they have close to the same
amount of attempts to compromise their users data. If Linux was the dominate
OS, it would be bombarded with the same intensity of virus, worms, and other
security intrusions as Windows.
MS just makes it easier because they tell the authors of malicious content
when the should launch their attacks.
--
Michael Stevens MS-MVP XP
(e-mail address removed)
http://www.michaelstevenstech.com
For a better newsgroup experience. Setup a newsreader.
http://www.michaelstevenstech.com/outlookexpressnewreader.htm

 

[Mitch]

Of course I see the difference. Where did I say I didn't see the
difference? I also never said I agree or disagree with the MS policy.
I simply stated their policy.

Okay.
I thought when you said that the statement objecting to the policy was
confusing it was because you didn't see the difference between what was
being asked of them and what they were saying they would do.

I'm glad to see that Microsoft decided to go ahead with the patch; some
industry portals were starting to sound grim about the immediate
threat.

 

[cquirke (MVP Windows shell/user)]

It just stuns me that Microsoft so blatantly considers corporate sys
admins the most important part of the industry.

I'd expect that with XP Pro - after all, it's NT, and NT was
originally aimed at the hi-end biz market, once it became clear that
converting Windows 3.yuk to 32-bit wasn't going to magically speed it
up, and would need far more RAM to perform at the same speed.

What annoys me is this approach applies to XP Home, too.

I do understand that it's only the big corporates - huge OEMs like
HP/Compaq, huge corporate clients like the Fortune 100 - who have any
kind of leverage to compell attention from MS.

I also understand it's far easier for MS devs to speak to pro
sysadmins and OEM hardware engineers, as they speak the same technical
level of language. Often the same techs drift across the industry,

But XP Home is dropped into *our* market (i.e. the old Win9x market)
and should be dancing to our tune. We deserve better than "sloppy
seconds" from the corporate market; our needs are different, not less,
and the extra value we need goes beyond make-it-easy dummy icons.

------------ ----- ---- --- -- - - - -

The most accurate diagnostic instrument
in medicine is the Retrospectoscope

 

[P. Thompson]

And should my system develop problems from this unauthorised patch, where
would that leave me?

I subscribe to following the manufacturers instructions. Microsoft would
never endorse this procedure.

I'm not inclined to download and let loose a non-Microsoft .exe file,
promising to patch my Windows XP, onto my system.

That contravenes every anti-spyware, anti-spam, anti-malware, good-practice
guideline I can think of.

With the end of XP home support later this year, a lot of users will be
hoping that future exploits are as able to be patched as easily by third
parties as this one was. Unless they are able to fork over for a
professional or vista "upgrade".

 

[Alias]

With the end of XP home support later this year, a lot of users will be
hoping that future exploits are as able to be patched as easily by third
parties as this one was. Unless they are able to fork over for a
professional or vista "upgrade".

Wrong. An SP 3 is coming out that will extend the support. Critical
updates are still being handed out by MS for 9x and Me so you're, well,
wrong.

 

[Tom [Pepper] Willett]

Do your homework. There will in fact be a SP3 for Home and Pro scheduled
for release the 2nd half of 2007:
http://www.microsoft.com/windows/lifecycle/servicepacks.mspx

Tom