Sunday, June 20, 2021

Security Experts Blast Microsoft

With Microsoft calmly asserting that it plans to release a patch for a widespread vulnerability on January 10, security experts are advising concerned administrators to download a third-party patch.

On Tuesday, Microsoft issued a statement acknowledging a vulnerability in the Windows Meta File (WMF) code in Windows operating systems including XP, Server 2003, ME, 98, and 2000, as well as versions of Lotus Notes. The flaw has led to a spate of exploits centered around Microsoft’s Internet Explorer and Messenger software.

In its statement, Microsoft said it’s delaying release of the patch, which was accidentally made available today, “to assure customers that they can be deployed effectively in all languages and for all versions of the platform with minimum down time.”

The company’s rationale for delaying release until its traditional “Patch Tuesday,” the second Tuesday of every month, didn’t sit well with security experts and developers, who have both condemned it for the delay and encouraged administrators to install either the accidentally leaked patch from Microsoft or an alternate version provided by Ilfak Guilfanov.

In an angry post on the SANS Internet Storm Center diary, an author wrote “In [Microsoft’s] rosy vision of the future, over the next seven days, nothing bad is going to happen.  The fact that there are point-n-click toolz to build malicious WMFs chock full o’ whatever badness the kiddiez can cook up doesn’t exist in that future.  The merry, lil’ Redmond Oompa Loompas are chanting “Our patch isn’t ready / you have to wait / so keep antivirus / up-to-date” which makes perfectly accurate, current AV signatures appear on every Windows computer – even those with no antivirus software.”

The SANS site has been advocating users download Guilfanov’s patch, and even went so far as to provide an installer package for it. The site also provided an outline of actions network administrators should take to deal with WMF-related security emergencies, warning that communications may be affected, and that even if internal networks remain protected from problems, other infected networks may pose problems to Internet-facing systems.

This article was first published on EnterpriseNetworkingPlanet.com.

Similar articles

Latest Articles

3 AI Implementations That...

I was on a joint educational call for the World Talent Economic Economic forum on mobile computing this week. We drifted to topics that...

Survey of Site Reliability...

NEW YORK — Site reliability engineers (SREs) are warning of a looming scalability ceiling and saying the adoption of AIOps isn’t happening at a...

Druva Integrates sfApex to...

SUNNYVALE, Calif. — A maker of software for cloud data protection and management is helping companies safeguard essential customer data that their sales and...

Best Data Science Tools...

Data science has transformed our world. The ability to extract insights from enormous sets of structured and unstructured data has revolutionized numerous fields —...