-----Original Message-----
From: Levinson, Karl [mailto:Karl.Levinson@dhs.gov]
-----Original Message-----
From: Derick Anderson [mailto:danderson@vikus.com]
Research? It took Zotob 6 or 7 days to come out after
MS05-39. There's
a 0-day for WMF which has been out for two days now:
http://www.f-secure.com/weblog/archives/archive-122005.html#00000752
In reality they've probably already validated most if not all
of the vulnerability. Microsoft seems to have decided for
some reason that it is not in their [or maybe our] best
interest for them to validate vulnerabilities until there is
a patch out. Possibly they feel validating the vuln to the
world increases the risk rather than decreasing it.
I'm not really sure what their thought is on that. I would think the
vast majority of people who find themselves reading such a bulliten
would have already hit Bugtraq and know that the vulnerability is real.
Perhaps they really haven't validated it yet, or perhaps they don't care
what I think.
I'd love to have the time to research updates before
applying them but
I think there's more risk in waiting than in having MS standard
templates applied.
You have the luxury of installing patches without testing
them exactly because Microsoft spends 30+ days testing their
patches. If they didn't, MS patches would break something
every time, and you would never install them without your own
testing. I think you're actually supporting the argument for
MS to take their time to release a tested patch.
I do support MS taking the time to release a tested patch. That was
never my contention. My contention is spending _more_ time testing an
already tested patch because of third-party
templates/guides/blogs/whatever used to make a server more secure.
Based on my admittedly limited security experience, I'd rather have a
fully patched, mostly-hardened server than a mostly-patched, fully
hardened server. I just see way more attacks based on exploits which
relate directly to a patch than those related to some file or protocol
which has slightly more permissive settings than SANS thinks it should.
It won't surprise me in the slightest when I start getting
WMF exploit
emails with the pictures embedded (rather than linked). I
just wonder
whether Microsoft will have a patch out in time.
No need to wonder. It will be at least 35 days to get a
patch. This is nothing new, we all knew this when we bought
our Windows computers.
Yes, I'm sure it's in the EULA... =) In the meantime I've employed the
workaround (disabling the DLL which does image rendering for Windows
Picture and Fax Viewer). At least there is one (other than unplugging
the ethernet cable).
Derick Anderson
---------------------------------------------------------------------------
---------------------------------------------------------------------------
