For months now, Microsoft executives have touted 2006 as a year of innovation, with an unprecedented number of major product releases. But the new year is starting out on a decidedly low note, as Microsoft struggles to overcome bad news about a security vulnerability that affects every single OS it's shipped in the past 10 years. In what is now a familiar situation, the company is beset by yet another dangerous software vulnerability, and its customers are right in the crosshairs.
Welcome to Microsoft's credibility problem. Late last week, the company was confronted by news that a newly discovered vulnerability in the Windows Metafile Format (WMF) image file format--a vulnerability that affects virtually every 32-bit Windows version ever made, including fully patched Windows Server 2003 and Windows XP systems--was both more serious than previously expected and already being exploited by malicious hackers. The software giant responded by saying that it would fix the problem by January 10, 2006, at the earliest, which is the date of its previously scheduled monthly security patch release for January. There's just one problem: This flaw is so serious that security experts now believe we can't wait that long.
On Sunday, security researchers at the SANS Institute Internet Storm Center warned that Windows users shouldn't wait for Microsoft's patch but instead install a third-party patch that SANS evaluated over the weekend. To find out more about this patch and grab the free download, see the SANS WMF FAQs at the URL below.
I'm not sure I can recommend installing this patch, but consider this fact: You can be exploited by browsing the Web, or even by simply downloading an infected email. It doesn't matter how up-to-date your antivirus solution is, and it doesn't matter which browser you use, although Mozilla Firefox does offer a level of prompting that's not found in Microsoft Internet Explorer (IE).
Scared yet? You should be. And it's just going to get worse, as newer, more dangerous attacks are launched in the week before Microsoft issues a patch. My guess is that this isn't the kind of New Year Microsoft envisioned for Windows.
Sarcasm definitely intended. I hate that I have to spend 20% of my time in front of my PC fixing Windows, only to learn that there's a vulnerability I can't stop.
mwrisner January 03, 2006 (Article Rating: )
Normally I'd just make some smarmy comment and resist the urge to chortle, but honestly...what the hell is going on in Redmond? Do these people realize just how much lost productivity results from vulnerabilities like this?
Perhaps it's balanced by the revenue generated from fixing this crap. But after 10 years, if anyone honestly thinks that a new version of Windows is going to fix this kind of endemic problem, they're deluding themselves.
lotsamystuff January 03, 2006 (Article Rating: )
Oh, and I love this quote from SANS:
"Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade."
Unbelievable. Perhaps I should just throw away my kid's laptop that runs '98, because Micro$oft can't throw a few dollars out there to fix their freakin' swiss-cheese-security-hole software. Honestly, I don't have 600 bucks to replace the laptop with one that can run XP.
And people wonder why Microsoft is so hated.
lotsamystuff January 03, 2006 (Article Rating: )
And Apple users everywhere chuckle away and continue typing on their Powerbooks.
bonch January 03, 2006 (Article Rating: )
Oh yeah, I got it last week. Norton AV and MS AntiSpyware didn't block anything. Heh, it's a good thing that I got a DVD burner for christmas, I was able to backup everything before the big cleanup (which mean format and reinstall).
pavigeant January 03, 2006 (Article Rating: )
Some info I had to test to find out: You can unregister the shimgvw.dll as a non-admin, but you can't reregister it unless you're a local admin. This limits that workaround's effectiveness in a logon script.
511PF January 03, 2006 (Article Rating: )
lotsamystuff, the sooner people get off 98/Me the better. They have NO security in them. Everyone who uses them is an administrator all the time and can do anything on the system. If you care AT ALL about security, move to the NT line.
PatriotB6007 January 03, 2006 (Article Rating: )
Security vulnerabilities are an industry-wide issue and if you cannot admit this, get out of the business.
The patch has to be vigorously tested before they can release it and if it isn’t, they will be in the good old damned-if-you-do/don’t scenario.
There is an old-fashioned work-a-round available and even a homemade patch but you run the risk either way.
These types of malicious attacks are exactly what anti-virus is designed to combat.
Happy safe bowsing!
KingBuzzo January 03, 2006 (Article Rating: )
PatriotB6007, the NT line obviously isn't that secure either, perhaps you should suggest an alternative operating system to Windows itself instead.
Normally I too would be laughing about such news, but being a Windows 98 and XP user for almost the course of eight years it really isn't all that funny. I haven't touched Windows since this early summer, and boy and I glad that this isn't affecting me.
DerekTraver January 03, 2006 (Article Rating: )
Yea lets put that powerbook comment in the open. Microsoft 10 billion users Apple 1 million. Gee I wonder who I would be Hacking. Lets get to the point apple or mirosoft or linux its software and they ALL have vulnerabilities. Just hackers perfer to get the biggest BANG for thier buck. Microsft is on the front line. So they get it more often.
You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor?
Register now
An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
)
)
Register
Sarcasm definitely intended. I hate that I have to spend 20% of my time in front of my PC fixing Windows, only to learn that there's a vulnerability I can't stop.
mwrisner January 03, 2006 (Article Rating: