> -----Original Message----- > From: Levinson, Karl [mailto:[EMAIL PROTECTED] > > > -----Original Message----- > > From: Derick Anderson [mailto:[EMAIL PROTECTED] > > > Research? It took Zotob 6 or 7 days to come out after > MS05-39. There's > > a 0-day for WMF which has been out for two days now: > > > > http://www.f-secure.com/weblog/archives/archive-122005.html#00000752 > > In reality they've probably already validated most if not all > of the vulnerability. Microsoft seems to have decided for > some reason that it is not in their [or maybe our] best > interest for them to validate vulnerabilities until there is > a patch out. Possibly they feel validating the vuln to the > world increases the risk rather than decreasing it.
I'm not really sure what their thought is on that. I would think the vast majority of people who find themselves reading such a bulliten would have already hit Bugtraq and know that the vulnerability is real. Perhaps they really haven't validated it yet, or perhaps they don't care what I think. > > I'd love to have the time to research updates before > applying them but > > I think there's more risk in waiting than in having MS standard > > templates applied. > > You have the luxury of installing patches without testing > them exactly because Microsoft spends 30+ days testing their > patches. If they didn't, MS patches would break something > every time, and you would never install them without your own > testing. I think you're actually supporting the argument for > MS to take their time to release a tested patch. I do support MS taking the time to release a tested patch. That was never my contention. My contention is spending _more_ time testing an already tested patch because of third-party templates/guides/blogs/whatever used to make a server more secure. Based on my admittedly limited security experience, I'd rather have a fully patched, mostly-hardened server than a mostly-patched, fully hardened server. I just see way more attacks based on exploits which relate directly to a patch than those related to some file or protocol which has slightly more permissive settings than SANS thinks it should. > > It won't surprise me in the slightest when I start getting > WMF exploit > > emails with the pictures embedded (rather than linked). I > just wonder > > whether Microsoft will have a patch out in time. > > No need to wonder. It will be at least 35 days to get a > patch. This is nothing new, we all knew this when we bought > our Windows computers. Yes, I'm sure it's in the EULA... =) In the meantime I've employed the workaround (disabling the DLL which does image rendering for Windows Picture and Fax Viewer). At least there is one (other than unplugging the ethernet cable). Derick Anderson --------------------------------------------------------------------------- ---------------------------------------------------------------------------
