Educause Security Discussion mailing list archives

Re: Jan 10 is the Microsoft stated release date for a WMF page -- was : what is your advice to your users

From: Steve Worona <sworona () EDUCAUSE EDU>
Date: Tue, 3 Jan 2006 08:22:41 -0500

There's tons of press on the WMF exposure/exploit (still a slow time for other news) and blogs galore. This one appears 
to be better than most:

http://blogs.technet.com/jesper_johansson/archive/2006/01/02/416762.aspx

Steve
--
Steven L. Worona
Director of Policy and Networking Programs
EDUCAUSE / 1150 18th St. NW suite 1010 / Washington, DC 20036
202-872-4200 x 5358 / 202-872-4318 fax / sworona () educause edu

-----
At 7:17 AM -0500 1/3/06, H. Morrow Long wrote:

On Jan 2, 2006, at 4:24 PM, Sadler, Connie wrote:

Does anyone know how close we are to a patch from Microsoft? ...
Anybody have some
status?

January 10 (one week from today) is Microsoft's goal for a patch.

The following was posted today on the updated MS advisory page
( http://www.microsoft.com/technet/security/advisory/912840.mspx )

Microsoft Security Advisory (912840)
Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution.
Published: December 28, 2005 | Updated: January 3, 2006

On Tuesday, December 27, 2005, Microsoft became aware of public reports of malicious attacks on some customers
involving a previously unknown security vulnerability in the Windows Meta File (WMF) code area in the Windows
platform.

Upon learning of the attacks, Microsoft mobilized under its Software Security Incident Response Process (SSIRP) to
analyze the attack, assess its scope, define an engineering plan, and determine the appropriate guidance for
customers, as well as to engage with anti- virus partners and law enforcement.

Microsoft confirmed the technical details of the attack on December 28, 2005 and immediately began developing a
security update for the WMF vulnerability on an expedited track.

Microsoft has completed development of the security update for the vulnerability. The security update is now being
localized and tested to ensure quality and application compatibility. Microsoft's goal is to release the update on
Tuesday, January 10, 2006, as part of its monthly release of security bulletins. This release is predicated on
successful completion of quality testing. ...

Current thread:

Re: Jan 10 is the Microsoft stated release date for a WMF page -- was : what is your advice to your users Steve Worona (Jan 03)
- <Possible follow-ups>
- Re: Jan 10 is the Microsoft stated release date for a WMF page -- was : what is your advice to your users jack suess (Jan 03)
- Re: Jan 10 is the Microsoft stated release date for a WMF page -- was : what is your advice to your users Brawner, David (Jan 03)
- Re: Jan 10 is the Microsoft stated release date for a WMF page -- was : what is your advice to your users Gary Flynn (Jan 03)