Microsoft customer warning: Bad exploit in Windows

It’s interesting, I was just talking with Hitachi’s blogger and CTO about what to do in a crisis. Here’s one thing. Warn your customers. That’s what I’m doing here. We’re seeing a bad exploit being reported on blogs and other places. I’m off to check with Stephen Toulouse of the security response center here at Microsoft (I’m a bit at a disadvantage cause I’m blogging from Hitachi’s Storage DataSystems Headquarters — I’m heading back to Microsoft’s offices so I can get access to Microsoft’s internal information sharing systems). The security response center is listening to email sent to secure@microsoft.com — if you have a new security problem, that’s a good place to send email to. Microsoft’s security Web site is here. If you need support with one of our products, please contact support here.

Update: the Security Response Center is working on this. They have a blog, but haven’t posted about this issue yet.

I have a video interview with Stephen on Channel 9, in case you want to know a little more. Here’s a tour of the response center’s workers so you can get a little better idea of the people who are working hard to fix this problem.

Update 2: the Security Response Center has posted a security advisory on this issue.

66 thoughts on “Microsoft customer warning: Bad exploit in Windows

  1. I went to the MSFT security blog site and the comments were all disabled. Yeah that’s a real useful read only blog.

  2. I went to the MSFT security blog site and the comments were all disabled. Yeah that’s a real useful read only blog.

  3. Scoble,

    You are wrong. Becouse of stupid security policy – Microsoft do not bother to inform EVEN original researcher on resolution process.

    I can claim this as I had some issues with security@Microsoft and they lied to public about how long it take for them to issue builitin. ( http://news.zdnet.com/2100-1009_22-954590.html )

    After this kind of interaction with Security@Microsoft I’m not willing to repeat this expirience. Posting everything to public will result security people will wake up late at night and go to warroom !!!

  4. Scoble,

    You are wrong. Becouse of stupid security policy – Microsoft do not bother to inform EVEN original researcher on resolution process.

    I can claim this as I had some issues with security@Microsoft and they lied to public about how long it take for them to issue builitin. ( http://news.zdnet.com/2100-1009_22-954590.html )

    After this kind of interaction with Security@Microsoft I’m not willing to repeat this expirience. Posting everything to public will result security people will wake up late at night and go to warroom !!!

  5. Chris and Robert:

    This thread’s commentspace looks like it has been a good place to start to work out how to address a crisis using the blogosphere.

    Chris is right, the whole thing needs to be reviewed as a policy issue.

    So here’s the question:

    Chris: what kind of policy would cover the issues that you think are being mishandled here?

    Robert:

    Chris is a recovering snarkoholic (I actually shouldn’t be saying that, it makes me look like I have fallen off the snark-abstinence-wagon myself) and you need to make nice a lot to get the most out of him, and getting him to tell you how to fix MS policy for free is the kind of thing (as in ‘user generated content’) that you are blogging for in the first place, no?

    Yoda says:

    “anger leads to hate, hate leads to suffering”.

    Critical commenters will often make you angry, especially if your posting was aimed at being helpful.

    But remember, one of the main reasons someone will take the trouble to comment about a posting, is because you made them angry, not necessarily in that particular posting, but sometimes in an earlier one, and they are looking for an opportunity to ‘take you down a peg or two’ for what the commenter perceives as arrogance by the blogger.

    So comment-response-anger needs to be given the opposite kind of response to the one that it triggers.

    Not that there is any strong evidence of anger on this occasion, Robert.

    But remember, commenters are part of the Google Juice/ Memeorandum equation, so, probably unconsciously, you are often gravitating towards generating angry responses when you put together your postings, if you have a good blog-traffic-creating track record.

    The cure is humility.

    Robert, You have bucketloads of humility, but you also have assertiveness, and that sometimes comes across as arrogance.

    There’s a line by Will Smith in I, Robot:

    “You are the dumbest smart person…”

    In your case you can substitute “arrogantest humble person”.

    And Chris: Keep on keeping on, Microsoft deserves all the negative feedback that any big institution needs and, my goodness, a Microsoft that somehow manages to develop genuine humility would be an awesome example to humanity, after all, if it is hard to be humble when you have made a lot of money, and had a lot of m success, nobody would have any excuse if even Microsoft can somehow become the opposite of arrogant.

    Chris has every right to doubt that Scoble can do what it takes to make Microsoft humble, especially when part of Scoble’s official job is to trumpet new Microsoft triumphs.

    Can you blog humility-affirming failure and cheer on scepticism-inducing triumph at the same time, Robert?

    Not enough rah-rah and the softies hate you, not enough whistles blown and outsiders think you are just the ultimate insidious but desperate PR tactic.

  6. Chris and Robert:

    This thread’s commentspace looks like it has been a good place to start to work out how to address a crisis using the blogosphere.

    Chris is right, the whole thing needs to be reviewed as a policy issue.

    So here’s the question:

    Chris: what kind of policy would cover the issues that you think are being mishandled here?

    Robert:

    Chris is a recovering snarkoholic (I actually shouldn’t be saying that, it makes me look like I have fallen off the snark-abstinence-wagon myself) and you need to make nice a lot to get the most out of him, and getting him to tell you how to fix MS policy for free is the kind of thing (as in ‘user generated content’) that you are blogging for in the first place, no?

    Yoda says:

    “anger leads to hate, hate leads to suffering”.

    Critical commenters will often make you angry, especially if your posting was aimed at being helpful.

    But remember, one of the main reasons someone will take the trouble to comment about a posting, is because you made them angry, not necessarily in that particular posting, but sometimes in an earlier one, and they are looking for an opportunity to ‘take you down a peg or two’ for what the commenter perceives as arrogance by the blogger.

    So comment-response-anger needs to be given the opposite kind of response to the one that it triggers.

    Not that there is any strong evidence of anger on this occasion, Robert.

    But remember, commenters are part of the Google Juice/ Memeorandum equation, so, probably unconsciously, you are often gravitating towards generating angry responses when you put together your postings, if you have a good blog-traffic-creating track record.

    The cure is humility.

    Robert, You have bucketloads of humility, but you also have assertiveness, and that sometimes comes across as arrogance.

    There’s a line by Will Smith in I, Robot:

    “You are the dumbest smart person…”

    In your case you can substitute “arrogantest humble person”.

    And Chris: Keep on keeping on, Microsoft deserves all the negative feedback that any big institution needs and, my goodness, a Microsoft that somehow manages to develop genuine humility would be an awesome example to humanity, after all, if it is hard to be humble when you have made a lot of money, and had a lot of m success, nobody would have any excuse if even Microsoft can somehow become the opposite of arrogant.

    Chris has every right to doubt that Scoble can do what it takes to make Microsoft humble, especially when part of Scoble’s official job is to trumpet new Microsoft triumphs.

    Can you blog humility-affirming failure and cheer on scepticism-inducing triumph at the same time, Robert?

    Not enough rah-rah and the softies hate you, not enough whistles blown and outsiders think you are just the ultimate insidious but desperate PR tactic.

  7. There is lots of coverage in the mainline web meadia,independant of Robert … he’s not that powerful or ubiquitiously read. I wonder where the media is getting their info. It’s as if the bad guys have PR consultants working for them …

  8. There is lots of coverage in the mainline web meadia,independant of Robert … he’s not that powerful or ubiquitiously read. I wonder where the media is getting their info. It’s as if the bad guys have PR consultants working for them …

  9. This is bigger then I thought…

    How did this get around so fast before a patch could be worked out. Robert I think by informing your customers you also inadvertently inform every hacker out there that this is a problem and no fix is in site yet. For your average Joe hacker this is a huge payday.

    Unless the press is blowing it up bigger then it really is…

    http://news.yahoo.com/s/pcworld/124094

  10. This is bigger then I thought…

    How did this get around so fast before a patch could be worked out. Robert I think by informing your customers you also inadvertently inform every hacker out there that this is a problem and no fix is in site yet. For your average Joe hacker this is a huge payday.

    Unless the press is blowing it up bigger then it really is…

    http://news.yahoo.com/s/pcworld/124094

  11. Where could one (individual or law enforcement officials) find an inventory of web sites which have installed this exploitive software? If nothing else, such an list could be a “name and shame” of sites to avoid, and at best, a source of prosecution.

    I understand why the world is jumping on Microsoft, but I do not understand why the world is not jumping on the bad guys propagating this stuff.

  12. Where could one (individual or law enforcement officials) find an inventory of web sites which have installed this exploitive software? If nothing else, such an list could be a “name and shame” of sites to avoid, and at best, a source of prosecution.

    I understand why the world is jumping on Microsoft, but I do not understand why the world is not jumping on the bad guys propagating this stuff.

  13. Scoble, some of the links in the advisory return 404 or not found. How responsible is that?

    A protection to this thing, type “regsvr32 /u shimgvw.dll”. I have read it somewhere and think it’s good. shimgvw.dll is the WMF file handler used by IE. By deregistering it, WMF files simply don’t get displayed anymore.

    Never been a better time to consider switching to Mac. Too bad Intel Macs are not available yet. The last few days, I have spent time with my family and a new preconfured XP SP2 laptop and the experience was horrible : we have been bombarded by tens upon tens of popups coming from either the OS or the pre-installed (trial version) anti-virus software. Most horrible experience in my entire life. And this box was not even connected to the internet.

  14. Scoble, some of the links in the advisory return 404 or not found. How responsible is that?

    A protection to this thing, type “regsvr32 /u shimgvw.dll”. I have read it somewhere and think it’s good. shimgvw.dll is the WMF file handler used by IE. By deregistering it, WMF files simply don’t get displayed anymore.

    Never been a better time to consider switching to Mac. Too bad Intel Macs are not available yet. The last few days, I have spent time with my family and a new preconfured XP SP2 laptop and the experience was horrible : we have been bombarded by tens upon tens of popups coming from either the OS or the pre-installed (trial version) anti-virus software. Most horrible experience in my entire life. And this box was not even connected to the internet.

Comments are closed.