Re: WMF round-up, updates and de-mystification

[Scott Renna <srenna () lcssecuritygroup com>]

You should read the section entitled FAQ:

How does the extended support for Windows 98, Windows 98 Second Edition, 
and Windows Millennium Edition affect the release of security updates 
for these operating systems?
For these versions of Windows, Microsoft will only release security 
updates for critical security issues. Non-critical security issues are 
not offered during this support period. For more information about the 
Microsoft Support Lifecycle policies for these operating systems, visit 
the following Web site.

http://support.microsoft.com/default.aspx?pr=LifeAn1

**********************************

also, I'm pretty sure MS only issues patches for critical issues for 
Win98, see the link

***********************************

Windows 98 and Windows 98 Second Edition support was scheduled to end on 
January 16, 2004. The continual evaluation of the Support Lifecycle 
policy revealed, however, that customers in the smaller and the emerging 
markets needed additional time to upgrade their product. Therefore, 
Microsoft will continue to support Windows 98, Windows 98 Second 
Edition, and Windows Me through June 30, 2006.

Critical security updates will be provided on the Windows Update site 
through June 30, 2006.

Microsoft will not publicly release non-critical security hotfixes for 
Windows 98, Windows 98 Second Edition, or Windows Millennium Edition. 
However, customers may request a non-critical security hotfix through 
On-Demand Security Hotfix support, which is offered for these products 
through June 30, 2006. When a request is received, Microsoft will 
investigate the issue and try to provide an appropriate response to the 
customer.

**************************

read next time

:)



Anthony R. Nemmer wrote:
> Microsoft just released patches for this vulnerability:
>
> http://www.microsoft.com/technet/security/bulletin/ms06-001.mspx
>
> Unfortunately there are no Microsoft patches for this critical exploit 
> for Win 98, Win 98 SE, or Win 98 ME.  Millions of people still use these 
> operating systems.  Why didn't Microsoft issue patches for them?  Also, 
> is there an unnofficial patch out there that will work for these 
> operating systems?
>
> Thanks,
> Anthony R. Nemmer
>
> InfoSecBOFH wrote:
>
> > So this patch is trusted because you said so?
> >
> > I have tested and confirmed that this patch only works in specific
> > scnenarios and does not mitigate the entire issue.  Variations still
> > work.
> >
> > On 1/3/06, Gadi Evron <ge () linuxbox org> wrote:
> >  
> >
> > > Quite a bit of confusing and a vast amount of information coming from
> > > all directions about the WMF 0day. Here are some URL's and generic facts
> > > to set us straight.
> > >
> > > The "patch" by Ilfak Guilfanov works, but by disabling a DLL in Windows.
> > > So far no problems have been observed by anyone using this patch. You
> > > should naturally check it out for yourselves but I and many others
> > > recommend it until Microsoft bothers to show up with their own patch.
> > >
> > > Ilfak is trusted and is in no way a Bad Guy.
> > >
> > > You can find more information about it at his blog:
> > > http://www.hexblog.com/2005/12/wmf_vuln.html
> > >
> > > If you are still not sure about the patch by Ilfak, check out the
> > > discussion of it going on in the funsec list about the patch, with Ilfak
> > > participating:
> > > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> > > Occasional information of new WMF problems keep coming in over there.
> > >
> > > In this URL you can find the best summary I have seen of the WMF issue:
> > > http://isc.sans.org/diary.php?storyid=994
> > > by the "SANS ISC diary" team.
> > >
> > > In this URL you can find the best write-up I have seen on the WMF issue:
> > > http://blogs.securiteam.com/index.php/archives/167
> > > By Matthew Murphy at the "Securiteam Blogs".
> > >
> > > Also, it should be noted at this time that since the first public
> > > discovery of this "problem", a new one has been coming in - every day.
> > > All the ones seen so far are variants of the original and in all ways
> > > the SAME problem. So, it would be best to acknowledge them as the
> > > same... or we will keep having a NEW 0day which really isn't for about 2
> > > months when all these few dozen variations are exhausted.
> > >
> > > A small BUT IMPORTANT correction for future generations:
> > > The 0day was originally found and reported by Hubbard Dan from Websense
> > > on a closed vetted security mailing list, and later on at the Websense
> > > public page. All those who took credit for it took it wrongly.
> > >
> > > Thanks, and a better new year to us all,
> > >
> > >       Gadi.
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >   
> >
> >
> >  
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/