RE: WMF patch

Fred_Heutte · January 4, 2006, 9:36pm

More info. This seems pretty reasonable:

http://castlecops.com/a6445-WMF_Exploit_FAQ.html

Steve Gibson is also mirroring Guilfanov's bypass, and says
Microsoft's cryptographically signed but unreleased patch
is floating around the net now:

http://www.grc.com/sn/notes-020.htm

In my reading this is a serious vulnerability, but the self-
inflating agitation in the "security community" has reached
a highly annoying level. I'm in the FTDT (fix the damn thing)
school; let's deal with it and get on with it. Every cycle spent
moaning about the faults of Microsoft is a lost opportunity
for something more productive.

Back to /usr/lurk . . .

regards,

Fred

Valdis_Kletnieks · January 4, 2006, 10:58pm

How many times do you propose we FTDT before we get fed up and ask upper
management to authorize a migration to some other software with a better
record? And how many more FTDT's do we need to tolerate while we wait for
upper management to authorize a migration?

Or to put it differently - if you discovered that your router vendor was
vulnerable because they had a proprietary BGP extension *designed* to deliver
arbitrary code for execution, would you FTDT, or would you be on the phone
with your vendor venting your outrage? And what if it wasn't the first, but
more like the 10th year in a row that a similar design issue had surfaced?

Would you still just FTDT?

And while you're trying to figure out how to roll out a patch to 200 routers
that are totally under your control, keep in mind that a *small* organization
can have 30K PCs, not always totally managed.

Still feel like just FTDT?

_Stephane_Bortzmeyer · January 5, 2006, 8:54am

a message of 46 lines which said:

How many times do you propose we FTDT before we get fed up and ask
upper management to authorize a migration to some other software
with a better record? And how many more FTDT's do we need to
tolerate while we wait for upper management to authorize a
migration?

There is no limit to what human beings can stand before becoming
reasonable. That is human nature and the engineers' rationality is no
match for it.

Think about religion, for instance. A lot of people still believe in a
supernatural being despite a very bad track record (much worse than
MS-Windows').

Alex_Harrowell · January 5, 2006, 9:35am

Indeed. It’s the security equivalent of “the market can stay irrational longer than you can stay solvent” - perhaps we could reformulate that as “the users can remain clueless longer than your business can survive the DDOS”

Andrew_Staples · January 5, 2006, 5:35pm

We're looking at purchasing MPLS services for locations nationwide. Does
anyone have personal experiences they'd care to share about providers...the
good, the bad, the ugly?

I'm not looking for public bashing, just data to differentiate one from
another. Any comments or direction appreciated.

Andrew