Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


January 03, 2006

Microsoft Enters 2006 with Yet Another Major Security Problem

A Web Exclusive from WinInfo
Paul Thurrott
WinInfo
InstantDoc #48934
WinInfo
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

For months now, Microsoft executives have touted 2006 as a year of innovation, with an unprecedented number of major product releases. But the new year is starting out on a decidedly low note, as Microsoft struggles to overcome bad news about a security vulnerability that affects every single OS it's shipped in the past 10 years. In what is now a familiar situation, the company is beset by yet another dangerous software vulnerability, and its customers are right in the crosshairs.

Welcome to Microsoft's credibility problem. Late last week, the company was confronted by news that a newly discovered vulnerability in the Windows Metafile Format (WMF) image file format--a vulnerability that affects virtually every 32-bit Windows version ever made, including fully patched Windows Server 2003 and Windows XP systems--was both more serious than previously expected and already being exploited by malicious hackers. The software giant responded by saying that it would fix the problem by January 10, 2006, at the earliest, which is the date of its previously scheduled monthly security patch release for January. There's just one problem: This flaw is so serious that security experts now believe we can't wait that long.

On Sunday, security researchers at the SANS Institute Internet Storm Center warned that Windows users shouldn't wait for Microsoft's patch but instead install a third-party patch that SANS evaluated over the weekend. To find out more about this patch and grab the free download, see the SANS WMF FAQs at the URL below.

I'm not sure I can recommend installing this patch, but consider this fact: You can be exploited by browsing the Web, or even by simply downloading an infected email. It doesn't matter how up-to-date your antivirus solution is, and it doesn't matter which browser you use, although Mozilla Firefox does offer a level of prompting that's not found in Microsoft Internet Explorer (IE).

Scared yet? You should be. And it's just going to get worse, as newer, more dangerous attacks are launched in the week before Microsoft issues a patch. My guess is that this isn't the kind of New Year Microsoft envisioned for Windows.

 
SANS WMF FAQ page.

End of Article

Reader Comments
Two words: Big Surprise.

Sarcasm definitely intended. I hate that I have to spend 20% of my time in front of my PC fixing Windows, only to learn that there's a vulnerability I can't stop.

mwrisner January 03, 2006 (Article Rating: )

Normally I'd just make some smarmy comment and resist the urge to chortle, but honestly...what the hell is going on in Redmond? Do these people realize just how much lost productivity results from vulnerabilities like this?

Perhaps it's balanced by the revenue generated from fixing this crap. But after 10 years, if anyone honestly thinks that a new version of Windows is going to fix this kind of endemic problem, they're deluding themselves.

lotsamystuff January 03, 2006 (Article Rating: )

Oh, and I love this quote from SANS:

"Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade."

Unbelievable. Perhaps I should just throw away my kid's laptop that runs '98, because Micro$oft can't throw a few dollars out there to fix their freakin' swiss-cheese-security-hole software. Honestly, I don't have 600 bucks to replace the laptop with one that can run XP.

And people wonder why Microsoft is so hated.

lotsamystuff January 03, 2006 (Article Rating: )

And Apple users everywhere chuckle away and continue typing on their Powerbooks.

bonch January 03, 2006 (Article Rating: )

Oh yeah, I got it last week. Norton AV and MS AntiSpyware didn't block anything. Heh, it's a good thing that I got a DVD burner for christmas, I was able to backup everything before the big cleanup (which mean format and reinstall).

pavigeant January 03, 2006 (Article Rating: )

Some info I had to test to find out: You can unregister the shimgvw.dll as a non-admin, but you can't reregister it unless you're a local admin. This limits that workaround's effectiveness in a logon script.

511PF January 03, 2006 (Article Rating: )

lotsamystuff, the sooner people get off 98/Me the better. They have NO security in them. Everyone who uses them is an administrator all the time and can do anything on the system. If you care AT ALL about security, move to the NT line.

PatriotB6007 January 03, 2006 (Article Rating: )

Security vulnerabilities are an industry-wide issue and if you cannot admit this, get out of the business.

The patch has to be vigorously tested before they can release it and if it isn’t, they will be in the good old damned-if-you-do/don’t scenario.

There is an old-fashioned work-a-round available and even a homemade patch but you run the risk either way.

These types of malicious attacks are exactly what anti-virus is designed to combat.

Happy safe bowsing!

KingBuzzo January 03, 2006 (Article Rating: )

PatriotB6007, the NT line obviously isn't that secure either, perhaps you should suggest an alternative operating system to Windows itself instead.

Normally I too would be laughing about such news, but being a Windows 98 and XP user for almost the course of eight years it really isn't all that funny. I haven't touched Windows since this early summer, and boy and I glad that this isn't affecting me.

DerekTraver January 03, 2006 (Article Rating: )

Yea lets put that powerbook comment in the open. Microsoft 10 billion users Apple 1 million. Gee I wonder who I would be Hacking. Lets get to the point apple or mirosoft or linux its software and they ALL have vulnerabilities. Just hackers perfer to get the biggest BANG for thier buck. Microsft is on the front line. So they get it more often.

coke_2001 January 03, 2006 (Article Rating: )

 See More Comments  1   2   3 

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

Escape From Yesterworld

Kevin points you to the funniest SQL Server website ever! ...
Security Whitepapers Protecting (You and) Your Data with Exchange Server 2007

Extended Validation SSL Certificates

Unauthorized applications: Taking back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Interested in Email Encryption?
Read about the advantages of identity-based encryption in this free report.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing