Microsoft Says Wait One More Week

I just received notice of the updated Microsoft Security Advisory on the WMF fiasco. It states:

Microsoft has completed development of the security update for the vulnerability. The security update is now being localized and tested to ensure quality and application compatibility. Microsoft’s goal is to release the update on Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on successful completion of quality testing...

What’s Microsoft’s response to the availability of third party patches for the WMF vulnerability?

Microsoft recommends that customers download and deploy the security update for the WMF vulnerability that we are targeting for release on January 10, 2006.

As a general rule, it is a best practice to utilize security updates for software vulnerabilities from the original vendor of the software. With Microsoft software, Microsoft carefully reviews and tests security updates to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. In addition, Microsoft’s security updates are offered in 23 languages for all affected versions of the software simultaneously.

Microsoft cannot provide similar assurance for independent third party security updates.


In other words, get 0wn3d, stay 0wn3d.

I'm going to keep my eye on the Kaspersky Lab Analyst Diary for news on any other WMF worms.

Comments

Anonymous said…
You may also want to check out F-Secure (http://www.f-secure.com/weblog/) as they have some updates that are more current, including some updates regarding Windows 2000/98/95/ME which may significantly reduce worm risks.

I'm also concerned about the Virus companies. Symantec hasn't updated their heuristic filter since Friday, and much has been written about other variants since then.

Thanks!
Anonymous said…
This is the exact type of attitude that has turned me against commercial software vendors especially microsoft. I sent out an email summarizing the vulnerability and the exploits found so far on Monday to all of the computer users at my place of employment. The attitude is that Symantec AV will catch any exploit attempts. What the ... more disgusting attitudes and this from the IT department. Oh well, at least I don't have to deal with the problem of cleaning all those end-user PCs, once it makes its way into the network. Plus, I don't use windows any more!!! Yea!!! FreeBSD for me!!!

Makes me wonder how come so many companies are still using windows, after all these years of security vulnerabilities showing up. How sad for the business world to not recognize a failure, when it is right before their very eyes!

G'Day,

Roger Crane

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics