Monday, January 09, 2006

Got away with it!

The latest vulnerability in Windows seems to have attracted remarkably little coverage in the media. Surprisingly, given it's the silly season (at least in the southern hemisphere).

For those that missed it, there is a vulnerability that allowed a (fairly) obscure file format to be loaded with arbitrary code that'd run on your computer when you browsed a website or viewed an email. Quite nasty - most recent exploits have required an unusual configuration, or been easily blocked by firewalls - this one wouldn't (unless you run intrusive content security software like WebMarshal).

Perhaps it's that no confirmed exploit turned up before the patch was issued - or maybe kicking MSFT for security holes is just so 2005.

1 comment:

Steve said...

Didn't get away with it at all. Microsoft tried to delay the release of the patch and there was a MAJOR uproar in the security circles. To the point where SANS released a 3rd party 'unofficial' patch for the problem through their ISC.

There were also several known worms that were live on the web, but most of them required someone to access a "dodgy" website using IE for the initial infection to occur. However, several sites that were compromised and defaced were laced with a dangerous WMF file pretending to be a JPG.

Worse still is the fact that many of the AV vendors couldn't even detect the flaw properly unless it used a known or expected payload.

Microsoft only released the patch early because the industry was screaming so loudly at them they had no choice. Their excuse was they'd completed testing early, but given how badly they were beaten up by not only the Security industry but also much of the tech media, they really didn't have much choice but to speed up the release of a fix.

Trust me, Microsoft didn't get away with it. At least not from those of us active in the security industry.