Re: Jan 10 is the Microsoft stated release date for a WMF page -- was : what is your advice to your users

[jack suess <jack () UMBC EDU>]

Within the Security Task Force we have been in communication with
Microsoft staff related to the WMF exposure. I wanted to pass this on
to the community so you have the same information we do in making a
decision on this.

Microsoft doesn't recommend installing a third party patch for this
and is expecting to release a "tested" patch on January 10th through
Windows Update Service. Microsoft is working with various CERT's to
stay on top of what is happening "in the field" and would consider
moving up the release if the risks changed. Presently, the impact is
limited and there are mitigations in place through updated anti-virus
signatures so the focus at Microsoft is fully testing this patch.

I talked with our security contact about the timing of this and her
answers were thoughtful and consistent with what I've seen from other
vendors. The concerns that Microsoft has are these.

1. A bad patch that introduces OS instability can cause an
organization more damage that the WMF exposure. Microsoft feels it is
essential to regression test any patch they provide. Bad experiences
with automated update will cause people to stop using this service
and that will do tremendous harm.

2. 3rd party patches can't be tested by microsoft and may change the
code base to mean that official patches do not get loaded. This can
be more problematic down the line than the added benefit gotten from
the 3rd party patch. Alternately, you must work to uninstall the
patch before January 10th.

As I look at this I think Microsoft is taking a reasonable approach
that is trying to balance the risk of not patching versus system
instability in a problem patch. Clearly, this is a serious issue but
to date we have not seen this flaw being exploited at our campus.

Institutions need to take a similar approach based on risk management
to decide what they should do. Questions to ask are these?

What is the likelihood that critical servers would be impacted by
this flaw? Are other mitigations possible (such as awareness or
dropping priviledge levels for IE).

What is the likelihood that your users have up-to-date AV and that
will mitigate this?

What is the effort in getting in a 3rd party patch deployed and
uninstalled before Microsoft releases its patch on January 10th?

Finally, it would be a great help to the community to get a
notification out to the list if a school is seeing this problem
spread on their campus. Potentially, getting some forewarning may
help us all. If we see issues happening in higher education we will
pass that information on to Microsoft ASAP, please don't hesitate to
call me if this is a major issue at your campus.

jack suess, VP of Information Technology, UMBC
Co-Chair, EDUCAUSE/Internet2 Security Task Force
410.455.2582



On Jan 3, 2006, at 8:22 AM, Steve Worona wrote:

> There's tons of press on the WMF exposure/exploit (still a slow
> time for other news) and blogs galore. This one appears to be
> better than most:
>
> http://blogs.technet.com/jesper_johansson/archive/
> 2006/01/02/416762.aspx
>
> Steve
> --
> Steven L. Worona
> Director of Policy and Networking Programs
> EDUCAUSE / 1150 18th St. NW suite 1010 / Washington, DC 20036
> 202-872-4200 x 5358 / 202-872-4318 fax / sworona () educause edu
>
> -----
> At 7:17 AM -0500 1/3/06, H. Morrow Long wrote:
> > On Jan 2, 2006, at 4:24 PM, Sadler, Connie wrote:
> > > Does anyone know how close we are to a patch from Microsoft? ...
> > > Anybody have some
> > > status?
> >
> > January 10 (one week from today) is Microsoft's goal for a patch.
> >
> > The following was posted today on the updated MS advisory page
> > ( http://www.microsoft.com/technet/security/advisory/912840.mspx )
> >
> > Microsoft Security Advisory (912840)
> > Vulnerability in Graphics Rendering Engine Could Allow Remote
> > Code  Execution.
> > Published: December 28, 2005 | Updated: January 3, 2006
> >
> > On Tuesday, December 27, 2005, Microsoft became aware of public
> > reports of malicious attacks on some customers involving a
> > previously  unknown security vulnerability in the Windows Meta
> > File (WMF) code  area in the Windows platform.
> >
> > Upon learning of the attacks, Microsoft mobilized under its
> > Software  Security Incident Response Process (SSIRP) to analyze
> > the attack,  assess its scope, define an engineering plan, and
> > determine the  appropriate guidance for customers, as well as to
> > engage with anti- virus partners and law enforcement.
> >
> > Microsoft confirmed the technical details of the attack on
> > December  28, 2005 and immediately began developing a security
> > update for the  WMF vulnerability on an expedited track.
> >
> > Microsoft has completed development of the security update for
> > the  vulnerability. The security update is now being localized and
> > tested  to ensure quality and application compatibility.
> > Microsoft's goal is  to release the update on Tuesday, January 10,
> > 2006, as part of its  monthly release of security bulletins. This
> > release is predicated on  successful completion of quality
> > testing.                                                ...