Jesper Johansson is a senior security strategist in the security technology unit at Microsoft. Translation: he is someone worth listening to on the WMF issue. Hint: I am not. He covers the important stuff in a post called “Conscientious Risk Management and WMF.”
Memeorandum has more from blogs on this issue. I really love how a hot issue gets covered on the blogs.
I just got home from a day of traveling. I followed Memeorandum all day on my cell phone. It is real interesting how much stuff shows up on Memeorandum and how it reduces being bored in airports.
Update, Stephen Toulouse, Microsoft’s Security Response Center’s official communications guy, comes over to Channel 9 for a conversation on the WMF issue and what is appropriate for blogging and not.
Took five days for this to show up in tech.meme, while time was wasted on someone named Russell Beattie switching from Mac to Windows.
I responded on this issue and Jesper’s post here. Go head, Robert: click the link. It’s perfectly safe for Windows users.
Took five days for this to show up in tech.meme, while time was wasted on someone named Russell Beattie switching from Mac to Windows.
I responded on this issue and Jesper’s post here. Go head, Robert: click the link. It’s perfectly safe for Windows users.
Shelley: the issue has been on Memeorandum three times in the past week. Of course, I notice such things cause I visit Memeorandum about 20 times a day.
Shelley: the issue has been on Memeorandum three times in the past week. Of course, I notice such things cause I visit Memeorandum about 20 times a day.
Shelly,
I think you have the 5 days thing mixed up, it was on tech.meme 5 full days before your post.
You can see it here here
Shelly,
I think you have the 5 days thing mixed up, it was on tech.meme 5 full days before your post.
You can see it here here
http://tech.memeorandum.com/051228/p17#a051228p17
Ooops.. Link disappeared
http://tech.memeorandum.com/051228/p17#a051228p17
Ooops.. Link disappeared
I hope there will be a post-mortem. This should not have happened in the first place, had Microsoft done their XP SP2 push properly.
I hope there will be a post-mortem. This should not have happened in the first place, had Microsoft done their XP SP2 push properly.
Anon: there’s a post mortem on every security problem now. The learning from previous post mortems has led to training programs and books by Michael Howard like this one: http://www.amazon.com/gp/product/0072260858/103-4192287-8796642?v=glance&n=283155
Anon: there’s a post mortem on every security problem now. The learning from previous post mortems has led to training programs and books by Michael Howard like this one: http://www.amazon.com/gp/product/0072260858/103-4192287-8796642?v=glance&n=283155
Is there a chapter in this book which says “if there are basic flaws in our graphics rendering engine layer, may be we should review it, not just fix the low-hanging fruit” ? Has the old GDI+ bug had any effect on the graphics rendering team?
Is there a chapter in this book which says “if there are basic flaws in our graphics rendering engine layer, may be we should review it, not just fix the low-hanging fruit” ? Has the old GDI+ bug had any effect on the graphics rendering team?
And what’s that link to the book. Perhaps you want me to buy, have a feel for your own dirty laundry, and get a clue at how hard the guys work at Micrsoft? I am sure they work hard to begin with.
Sure enough, between the translucency effect of Windows vista, and fixing gdi32.dll holes, something had to give.
Wouldn’t be laughable you would come up saying you are lacking resources to fix those things?
And what’s that link to the book. Perhaps you want me to buy, have a feel for your own dirty laundry, and get a clue at how hard the guys work at Micrsoft? I am sure they work hard to begin with.
Sure enough, between the translucency effect of Windows vista, and fixing gdi32.dll holes, something had to give.
Wouldn’t be laughable you would come up saying you are lacking resources to fix those things?
Anon: we’re always looking for great developers to help us fix our problems. Sounds like you’re one of those.
Anon: we’re always looking for great developers to help us fix our problems. Sounds like you’re one of those.
“we’re always looking for great developers to help us fix our problems. Sounds like you’re one of those.”
Hmm, your PR again. You know as I know that, were I a great developer, I wouldn’t be posting comments here, I would be actively shipping dlls and tools to fight this kind of basic flaws.
You have managed to switch to an entirely different topic. So much for the conversation. I have said there is a clear line between basic flaws, such as GDI+/WMF/…, and advanced flaws, which require ten steps and a specific config. Where do you draw the lines? When can you get a statement like “we guarantee no basic flaw can happen from now on” ?
That’s the only question I want answered. Thanks.
“we’re always looking for great developers to help us fix our problems. Sounds like you’re one of those.”
Hmm, your PR again. You know as I know that, were I a great developer, I wouldn’t be posting comments here, I would be actively shipping dlls and tools to fight this kind of basic flaws.
You have managed to switch to an entirely different topic. So much for the conversation. I have said there is a clear line between basic flaws, such as GDI+/WMF/…, and advanced flaws, which require ten steps and a specific config. Where do you draw the lines? When can you get a statement like “we guarantee no basic flaw can happen from now on” ?
That’s the only question I want answered. Thanks.
Anon, I think you have made your point.
Try a Web Search for the String you provide
MSN Search
Zero results. No-one can guarentee anything that is made by human beings.
Anon, I think you have made your point.
Try a Web Search for the String you provide
MSN Search
Zero results. No-one can guarentee anything that is made by human beings.
MKII: same on Google.
MKII: same on Google.
I really love how a hot issue gets covered on the blogs.
Well, if you love it there, I can give it to yah, in the wider media (ooops, already did)
But somehow I don’t think your PR/Marketing teams or Shareholders would feel the same way.
I really love how a hot issue gets covered on the blogs.
Well, if you love it there, I can give it to yah, in the wider media (ooops, already did)
But somehow I don’t think your PR/Marketing teams or Shareholders would feel the same way.
From Scoble turning questions into jokes, I can only infer that “Windows XP is insecure by design”, and that “next version is better” is only a customer trap.
Point taken.
From Scoble turning questions into jokes, I can only infer that “Windows XP is insecure by design”, and that “next version is better” is only a customer trap.
Point taken.
New thoughts on the WMF exploit – agreements and disagreements
Another day, another set of thoughts on the WMF exploit.
It seems that the world is waking up to the exploit now. For the past few days I’ve felt that ti has mostly been a talking point among security folk but now that people are getting …
Just another risk management problem? What? No big deal, ho hum, just another mainstream everyday run-of-the-mill problem. Twiddle thumbs, proceed as normal. This ancient bygone ‘feature’ now a big security bug which impacts every MSFT OS since end of the 80s. And it’s all a simple risk management problem? Exactly who is this guy kidding? Geesshhh.
Unreg the dll and apply the “unoffical patch”, as even SANS says ok, and then uninstall whenever MFST decides to Patch Tuesday it. As somehow I trust things from the IDA author (no less), and not like any real choice now. Now that’s proper ‘risk management’…
Least Stephen is talking sense…
While you guys all like blogs, there’s a ton of CSO’s, IT professionals etc. who view it as “unofficial” and not real guidance…
Ummmm, duh.
Just in the midst of this crisis, there is no guidance outside of ‘Yes a problem but just wait till we get around to it. Just keep heads down for the next week.’ That doesn’t fly. The gap alone will be a PR and Marketing nightmare for years to come, which they will use as a twist to move people to Vista.
Just another risk management problem? What? No big deal, ho hum, just another mainstream everyday run-of-the-mill problem. Twiddle thumbs, proceed as normal. This ancient bygone ‘feature’ now a big security bug which impacts every MSFT OS since end of the 80s. And it’s all a simple risk management problem? Exactly who is this guy kidding? Geesshhh.
Unreg the dll and apply the “unoffical patch”, as even SANS says ok, and then uninstall whenever MFST decides to Patch Tuesday it. As somehow I trust things from the IDA author (no less), and not like any real choice now. Now that’s proper ‘risk management’…
Least Stephen is talking sense…
While you guys all like blogs, there’s a ton of CSO’s, IT professionals etc. who view it as “unofficial” and not real guidance…
Ummmm, duh.
Just in the midst of this crisis, there is no guidance outside of ‘Yes a problem but just wait till we get around to it. Just keep heads down for the next week.’ That doesn’t fly. The gap alone will be a PR and Marketing nightmare for years to come, which they will use as a twist to move people to Vista.
Suggestions to Microsoft about WMF
What Microsoft should do about the WMF exploit. · Use automatic update to immediately unregister the shimgvw DLL. When they’ve fixed the problem, they can turn it back on. · Negotiate to use the current fix of Ilfak Guilfanov’s. Pay
[...] see a wonderful dialog with Scoble on recent WMF vulnerability (see history of WMF events on F-Secure blog from the day-0 to an official patch released). [...]