Jesper has more on WMF exploit

by on January 2, 2006

Jesper Johansson is a senior security strategist in the security technology unit at Microsoft. Translation: he is someone worth listening to on the WMF issue. Hint: I am not. He covers the important stuff in a post called “Conscientious Risk Management and WMF.”

Memeorandum has more from blogs on this issue. I really love how a hot issue gets covered on the blogs.

I just got home from a day of traveling. I followed Memeorandum all day on my cell phone. It is real interesting how much stuff shows up on Memeorandum and how it reduces being bored in airports.

Update, Stephen Toulouse, Microsoft’s Security Response Center’s official communications guy, comes over to Channel 9 for a conversation on the WMF issue and what is appropriate for blogging and not.

  • Took five days for this to show up in tech.meme, while time was wasted on someone named Russell Beattie switching from Mac to Windows.

    I responded on this issue and Jesper's post here. Go head, Robert: click the link. It's perfectly safe for Windows users.
  • Shelley: the issue has been on Memeorandum three times in the past week. Of course, I notice such things cause I visit Memeorandum about 20 times a day. :-)
  • Shelly,

    I think you have the 5 days thing mixed up, it was on tech.meme 5 full days before your post.

    You can see it here here
  • anon
    I hope there will be a post-mortem. This should not have happened in the first place, had Microsoft done their XP SP2 push properly.
  • Anon: there's a post mortem on every security problem now. The learning from previous post mortems has led to training programs and books by Michael Howard like this one: http://www.amazon.com/gp/product/0072260858/103...
  • anon
    Is there a chapter in this book which says "if there are basic flaws in our graphics rendering engine layer, may be we should review it, not just fix the low-hanging fruit" ? Has the old GDI+ bug had any effect on the graphics rendering team?
  • anon
    And what's that link to the book. Perhaps you want me to buy, have a feel for your own dirty laundry, and get a clue at how hard the guys work at Micrsoft? I am sure they work hard to begin with.

    Sure enough, between the translucency effect of Windows vista, and fixing gdi32.dll holes, something had to give.

    Wouldn't be laughable you would come up saying you are lacking resources to fix those things?
  • Anon: we're always looking for great developers to help us fix our problems. Sounds like you're one of those.
  • anon
    "we’re always looking for great developers to help us fix our problems. Sounds like you’re one of those."

    Hmm, your PR again. You know as I know that, were I a great developer, I wouldn't be posting comments here, I would be actively shipping dlls and tools to fight this kind of basic flaws.

    You have managed to switch to an entirely different topic. So much for the conversation. I have said there is a clear line between basic flaws, such as GDI+/WMF/..., and advanced flaws, which require ten steps and a specific config. Where do you draw the lines? When can you get a statement like "we guarantee no basic flaw can happen from now on" ?

    That's the only question I want answered. Thanks.
  • Anon_MKII
    Anon, I think you have made your point.

    Try a Web Search for the String you provide

    MSN Search

    Zero results. No-one can guarentee anything that is made by human beings.
  • MKII: same on Google.
  • Christopher Coulter
    I really love how a hot issue gets covered on the blogs.

    Well, if you love it there, I can give it to yah, in the wider media (ooops, already did) ;) But somehow I don't think your PR/Marketing teams or Shareholders would feel the same way.
  • anon
    From Scoble turning questions into jokes, I can only infer that "Windows XP is insecure by design", and that "next version is better" is only a customer trap.

    Point taken.
  • Christopher Coulter
    Just another risk management problem? What? No big deal, ho hum, just another mainstream everyday run-of-the-mill problem. Twiddle thumbs, proceed as normal. This ancient bygone 'feature' now a big security bug which impacts every MSFT OS since end of the 80s. And it's all a simple risk management problem? Exactly who is this guy kidding? Geesshhh.

    Unreg the dll and apply the "unoffical patch", as even SANS says ok, and then uninstall whenever MFST decides to Patch Tuesday it. As somehow I trust things from the IDA author (no less), and not like any real choice now. Now that's proper 'risk management'...

    Least Stephen is talking sense...

    While you guys all like blogs, there's a ton of CSO's, IT professionals etc. who view it as "unofficial" and not real guidance...

    Ummmm, duh. :) Just in the midst of this crisis, there is no guidance outside of 'Yes a problem but just wait till we get around to it. Just keep heads down for the next week.' That doesn't fly. The gap alone will be a PR and Marketing nightmare for years to come, which they will use as a twist to move people to Vista.
blog comments powered by Disqus