WMF Vulnerability Not Fixed

[scottws]

http://www.informationweek.com/windows/...ticle.jhtml?articleID=175802831&pgno=1

It sounds like Microsoft addressed the direct attack from late December, but has not addressed overall vulnerability of WMF.

I read another report that Microsoft was kind of miffed they were basically forced to release the "fix" early. I guess they wanted time to shore it up entirely, but the press was having a field day with the huge vulerability so they had to do something, but at the same time they knew they couldn't secure it enough right away and would catch flak for leaving it vulnerable.

 

[CTho9305]

The new ones are just crashes. There are already hundreds+ ways to crash IE - who cares about 2 more?
edit: Never mind, according to Symantec at least one is likely exploitable. Go MS!

 

[spyordie007]

beauty

 

[Thor86]

It's what keeps security and AV vendors in business.

 

[Robor]

Ha! I can't see it from my Ubuntu Breezy T42

Of course, I'm currently installing a WSUS (Windows Server Update Services) 2003 Server at work right now just to keep the local network updated.

 

[MGMorden]

Originally posted by: Robor
Ha! I can't see it from my Ubuntu Breezy T42

Of course, I'm currently installing a WSUS (Windows Server Update Services) 2003 Server at work right now just to keep the local network updated.

We're currently testing out a product called GFI Languard Network Security Scanner to do the same thing. Also prompted by the latest WMF vulnerability .

 

[stash]

Symantec is conjecturing, they are even quoted in the article as doing such.

These are perf bugs, and are not exploitable. They were discovered during a normal code review, before the discovery of the WMF vuln that led to the MS06-001 patch.

 

[spyordie007]

Thanks for the info Stash