Security Basics mailing list archives
Re: WMF Exploit Patch Released
From: Matthew Schiros <schiros () gmail com>
Date: Sat, 7 Jan 2006 22:22:11 -0600
Donald, Perhaps I chose my words poorly. My point was not that Microsoft was using this patch as an attempt to push users away from NT 4.0. I know that NT 4 was has been EOL'd for some time now, and I'm aware that there are many viable replacement OS's put out by Microsoft since. At the same time though, there's the issue of taking responsibility for your software when you aren't willing to reveal the source and allow others to make the fixes that you aren't willing to. This isn't a matter of a low-risk bug in a piece of legacy word processing software, it's a highly dangerous exploit in software that, if its being used today, is used on what's likely mission critical machines. While I'd like to say that MS can't have its cake and eat it too, it can. It can spend years pushing a product, get everyone to use that product, and then relatively quickly EOL that product, and get you to move to something else. It's a great business model, obviously, because people keep buying, but at the same time, how many System V or AIX exploits do you think appear that go unfixed because of the age of the OS? What kind of relationship do you have with your customers if you just refuse to take responsibility for a drastic flaw under the blanket of ending support? Nobody is saying that Microsoft should be obligated, or should even consider, doing anything like doing DirectX updates or anything, just fix fatal flaws in already existing code. If it suddenly turned out that NT 4.0 seg faulted every time it recieved an incomplete TCP packet (obviously this isn't the case, but whatever), would you say that Microsoft had no obligation to fix that problem? Matt On 1/7/06, Donald N Kenepp <don () videon-central com> wrote:
Hi Matthew, Sadly, it isn't so much Microsoft saying you should upgrade for this patch, but Microsoft saying you should have upgraded from Windows NT 4.0 a long time ago. NT 4.0 has been being retracted from the market since 2001. It was declared closed for normal support in 2003. They are now phasing out extended support in 2005. Windows NT 4.0 first showed up back in 1996. We have since had 98, Me, W2K, XP, and now Vista is coming. The server end has seen W2K and 2003 with a service pack. Should an OS be supported for ten years past its inception? Will there be a WMF patch for Windows 95 as well? One way to look at things is that Microsoft is an evil empire sticking it to the man. One might also say they are the average business with new products. Regardless of motive, it honestly costs more to maintain NT 4.0 at this point than to upgrade to a newer OS. Red Hat 4.0 also came out in 1996. The amount of patching, manual configuration, and manual administration involved in a product that has seen its day come and go is much more expensive than migration. There is also a fair amount of default security, productivity, and usability gains in the newer versions of these products. You can still run programs dating back to Windows 95 and NT 4.0 and even DOS on Windows XP. That's a lot of overhead Microsoft built in to ease transitions. Skipping one OS version for cost reasons can certainly make sense, but if you are making things last and your workstations and servers have a five year lifecycle, so should their operating systems. Just for some perspective on 1996: Dell opened internet sales. Netgear was founded. Google was first developed. Sony entered the PC market. Microsoft introduced Windows NT 4.0 and Windows CE 1.0. Sun introduced the Ultra workstation family and licensed Java. Seagate released the original 10k Cheetah drives at 6GB. Intel released the 200MHZ P6. The 266MHz PII didn't come until 1997. I do wish you the best of luck in patching NT 4.0 systems if you are truly stuck with them, but my recommendation to anyone still on NT is to use this as one more reason to present the idea of a new OS to management this year. Sincerely, Donald -----Original Message----- From: Matthew Schiros [mailto:schiros () gmail com] Sent: Friday, January 06, 2006 12:47 PM To: info () footvision com Cc: security-basics () securityfocus com Subject: Re: WMF Exploit Patch Released According to Microsoft, WinNT4 and Win2k SP3 users are out of luck. Their reccomended "solution" is to upgrade your software to a supported version. Obviously, all this means is that they have no solution at all, but this is hardly the first time that MS has stuck it to WinNT4 users as part of an attempt to get them all moved over to 2k SP4. As for the viability of disabling the DLL's in question, while I haven't had any problems as a result of doing that on the 2k boxes in the office, I haven't had the opportunity to test its impact on NT systems. That seems to be the only way of removing the exploit from your machines though, and I'd be interested in knowing the results of your attempts. On 1/6/06, info () footvision com <info () footvision com> wrote:Hello Everyone, Unfortunately there are company who are still running NT4 and I was wondering which alternative do they have to face this security breach from the fact that Microsoft do not provideanypatch for NT4 . Do they have to disable GDI32.DLL and WGDI32.DLL as suggested previouslyforSHIMGVW.DLL? Regards. Ernest Matos IT Security -----Original Message----- From: Matthew Schiros [mailto:schiros () gmail com] Sent: Thursday, January 05, 2006 10:51 PM To: security-basics () securityfocus com; bugtraq () securityfocus com Subject: WMF Exploit Patch Released Microsoft has released a patch for the WMF exploit a couple of days early, apparently due to a faster-than-expected testing process, and, at least I hope, some consumer pressure. It can be downloaded via Windows Update, or as a standalone install at: http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx As a note, it appears that all of the attempts to circumvent the problem via disabling SHIMGVW.DLL were irrelevant, and that those who discovered that GDI32.DLL and WGDI32.DLL were the culprits were correct. Happy crawling. Matt Schiros Web Developer Academic Superstore www.academicsuperstore.com---------------------------------------------------------------------------EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business ContinuityPlanning,Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------------- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
--------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- WMF Exploit Patch Released Matthew Schiros (Jan 05)
- <Possible follow-ups>
- Re: WMF Exploit Patch Released Matthew Schiros (Jan 07)
- Lose the 'tude bub... (was: WMF Exploit Patch Released) Burton Strauss (Jan 09)
- RE: WMF Exploit Patch Released Donald N Kenepp (Jan 10)
- Re: WMF Exploit Patch Released Matthew Schiros (Jan 11)
- Security and EOL issues (was RE: WMF Exploit Patch released) Donald N Kenepp (Jan 09)