Archive for January, 2006
For the second time this week, I have to go against a promise to myself. Yesterday, I promised myself I wouldn’t write another line about the WMF vulnerability this week. Today, I have to break this promise because, guess what, Microsoft finally saw the light and caved in to customer pressure (and bad press, I guess… I leave it to you to determine what’s more important to them) and released the WMF patch ahead of schedule.Of course they still claim that there are no widespread exploits known to them… well, maybe they just didn’t look hard enough? Anyway, the patch has been released yesterday afternoon and is available via Windows Update – it’s probably a good idea to install it now, if you haven’t already.
January 6th, 2006
When I wrote yesterday that I’m going to head over to Brian Krebs’ blog more often, I didn’t really think I would be quoting him again today. But he has done such a good job following up on the WMF patch issue we reported on yesterday that once again he got me thinking and I want to add some thoughts to his.
Brian points out that according contained in Microsoft’s latest WMF advisory (yes, the one claiming that the WMF exploits are limited in scope), Microsft OneCare customers are protected from this bug. That of course raises some intriguing questions about the nature of the protection offered by this product. How can OneCare customers be protected when Microsoft feels unable to release a working patch before next Tuesday because of all the testing the patch needs to undergo? Who is actually doing all this testing… and how far fetched is the idea that in fact the OneCare customers could be the ones who (knowingly or not, I don’t know because I’m not a OneCare beta program member and haven’t read the EULA) get to test this patch? I mean, it would make sense because through the OneCare software, the patch could be deployed as well as removed or updated if it doesn’t work as designed, all with no end user interaction.
Or does Microsoft actually know another way to protect computers from the WMF based attacks, but chooses not to disclose it to regular Windows users, but only to those willing to pay for extra security (I know OneCare is free at the moment, but it’s also still a beta product that many will be unwilling to install on mission critical computers and Microsoft has plans to charge for it later)? That would indeed be a rather scary scenario – the manufacturer of faulty software refuses to protect its customers from security flaws unless they are willing to pay to have it fixed… kind of like a car manufacturer refusing to fix your brakes that were manufactured with a defect, unless you pay them. I’m not saying that is in fact the case, but the claim that OneCare customers are protected when at the same time Microsoft sees itself unable to provide a patch yet does raise these questions.
Technorati : OneCare, Software, WMF, Windows
January 5th, 2006
I must say, I’m starting to like Brian Krebs’ daily column a lot – his style is quite nice, easy to understand even for people who are not security geeks, while at the same time being quite accurate about the issues at hand. Take his article on the upcoming WMF fix, for example. Not only does he describe the problem quite accurately, deliver the news of the upcoming patch and some instructions for interim measures, he even admits that it would be much more newsworthy if Microsoft had announced that they won’t supply a patch on their next “patch day”. What’s probably also more newsworthy is the fact that it is taking them so long and they even discourage people from applying an unofficial patch that is reported to do a very good job, quite a remarkable achievement given the fact that no source code of the faulty DLL was available to the author of the fix…
Anyway, I think I’ll head over to Brian’s blog even more often than I used to… today he finally made it to my “must read” list.
Technorati : WMF, Windows, patch, software
January 4th, 2006
One of the CDs that have been on heavy rotation in my CD player recently (definitely in my “A” playlist at the moment) is the 2005 Soul Survivor sampler “We must go”, featuring many of the songs that were sung during Soul Survivor’s annual summer event in Shepton Mallet / Somerset (UK). And while I miss a few songs (it would have been so great to have that spontaneous 15 minute instrumental worship set by Delirious? on the CD, but I didn’t think that was going to happen anyway), it’s still a great collection that as always has been masterfully put together to re-capture the listeners and take them back to the events of last summer (if in fact they were there… people who weren’t will probably love the CD almost as much). If I were to name my favourite songs, I’d have to name almost all of them… so maybe I should just mention that the only real disappointment is “Superlatives” by Marl Beswick and his “Power Praise” singers… after their breathtaking rendition of “Lord, I lift Your name on high” on the 2004 sampler, I expected a lot more, both live and on the CD. Anyway, maybe I’m just missing whatever is so special about this song… I hope it wasn’t just put on the CD because the Soul Survivor guys had to.
All in all, a great CD, definitely worth having a look (and listen) at – and don’t miss the extra 5-track bonus CD with some of the highlights of the “Momentum” festival for “students and 20somethings” that ran between the two main Soul Survivor weeks. Hey, maybe I’ll see some of you there this summer…
Technorati : CD, christian, music, soul survivor
January 2nd, 2006
In his
In his article, Brian puts the latest CERT vulnerability report a little bit into perspective, taking a look mainly at the Windows side of things. It would have been interesting to hear his take on the Unix/Linux side as well… there are a lot of flaws in the way CERT generates the list, at least if you want to use it for statistical purposes. They count every time a vulnerability was reported in a 7 day period, so some vulnerabilities that had updates or were reported to affect multiple platforms have been counted up to eight times (the Apache mod_ssl verify restriction bypass vulnerability, for example) because the reports trickled in over the course of several weeks and were updated frequently. All those reports point to the same CVE number, though, making it pretty clear that this is in fact just a single vulnerability.
So before anyone just looks at the numbers and concludes that 800+ vulnerabilities in Windows are a lot less than 2300+ in Linux/Unix and thus Windows must be more secure should process this list and remove all the duplicates that have been caused by this kind of reporting – and then bear in mind that the open nature of most Linux software leads to more open disclosure of vulnerabilities – if a vulnerability in some other software was silently fixed, but never reported, it will not show up in the CERT list. That kind of silent fixing is much more likely in a closed source environment because nobody will really know what changed in the latest update.
Technorati : CERT, Linux, Windows, software
January 2nd, 2006
Next Posts