Last month we reported on the latest security vulnerability found in Microsoft’s products. This month saw a large number of developments in the case. While the world waited for a patch from Microsoft, security researcher Ilfak Guilfanov took the unusual step of releasing his own patch. Security commentators advised using the unofficial patch, citing Guilfanov’s good reputation, and the lack of any other available response as reasons to go against normal security wisdom: only use patches from the original vendor.
By the second of January, we had the startling revelation that the vulnerability was not a bug at all, but a documented feature of WMF files. Despite all the effort Microsoft has been putting into making their products more secure, it seems that no-one got round to checking the specifications and their implications. Mistakes like buffer overflows might have been made far less likely, but who knows how many more basic design flaws remain?On the sixth of January, breaking their “Patch Tuesday” schedule, Microsoft released the official patch for the vulnerability. This really calls into question the purpose of “Patch Tuesday”, it is clear that a sufficiently “important” vulnerability can result in a schedule change. This destroys the supposed advantage of bundling patches into a once-a-month package: administrators still face the challenge of unplanned maintenance. So what defines the “importance” of the vulnerability? Hopefully, it would be a rational evaluation of the problem. However, as late as the third of January reports showed no sign of the early release. They had already verified the vulnerability, the importance of the threat was known. At that stage, the most useful information for administrators would be to know that Microsoft was intending to release the patch as soon as testing was complete. The advisory still played down the importance of the vulnerability, “…Microsoft’s intelligence sources indicate that the scope of the attacks are not widespread”, which was true, but that could change in minutes, as numerous incidents of fast spreading malware have shown.
Two possibilities come to mind: Microsoft intended to stick to the Patch Tuesday schedule – in which case, why did it change its mind? The technical situation had not changed, so that suggests the mounting media pressure influenced them. Alternatively, they always intended to release the patch as soon as testing was complete, which implies that the intention was kept secret to avoid negative comment about them racing to release a fix. In either case, it is clear that the marketing department is in control of Microsoft’s security response.
Users of older Microsoft operating systems are in a worse position. Microsoft will only release updates for “critical” security problems on Windows 98, 98SE and ME; so, magically, the WMF vulnerability has been labeled “non-critical” for these operating systems, with the justification that an “exploitable attack vector” has not been identified. Did they look?
Windows NT and pre SP4 versions of Windows 2000 have reached the end of their support lifecycles, so they will go unpatched, no matter how critical the problem is. Microsoft recommends users of these systems to
Email security company MessageLabs has blocked targeted attacks on British MPs and other UK Government sites. Messages that apparently originated in China carried a trojan utilizing the WMF vulnerability. There is no indication whether the attack was initiated by the Chinese Government, independent Chinese hackers, or, indeed, by another attacker making use of compromised computers in China.
