Comments

  1. Unhappy new fear (and watery Queen)

    In today’s IT Blogwatch, we look at the latest unpatched Windows security risk — the rather nasty WMF exploit. Not to mention Queen’s We Will Rock You as you’ve never seen it before…
    Ring out the old and ring in the new (exploit) sings Sharon Mac…

  2. Blogging in a crisis. We could do much better here. Also, I’d like to see more of our executives blogging- especially in this kind of situation.

  3. Blogging in a crisis. We could do much better here. Also, I’d like to see more of our executives blogging- especially in this kind of situation.

  4. If anyone at Microsoft said anything at all about this there would be a Slashdot and Digg stampede.

    In the first hour would 20,000 users be unthinkable, and they are just the ones who want to throw two cents somewhere.

    If a word or worse a single ‘byte’ is out of place Microsoft will get DiggDotBlogged with an extreme frenzy of not very nice feedback.

    Microsoft need to stay quietly focused on getting the job done so it is released and works. They do not need Distractions…

    That said all that executives and others can say as Robert has said is ‘We are working on it’.

  5. If anyone at Microsoft said anything at all about this there would be a Slashdot and Digg stampede.

    In the first hour would 20,000 users be unthinkable, and they are just the ones who want to throw two cents somewhere.

    If a word or worse a single ‘byte’ is out of place Microsoft will get DiggDotBlogged with an extreme frenzy of not very nice feedback.

    Microsoft need to stay quietly focused on getting the job done so it is released and works. They do not need Distractions…

    That said all that executives and others can say as Robert has said is ‘We are working on it’.

  6. [...] And speaking of public relations, Microsoft’s Robert Scoble links to a Channel 9 post where the discussion makes it clear that there won’t be any unofficial advice from Microsoft employees. Generally, there’s nothing worse than “informal” security advice and I realize the difficulties in creating the “official” patch, but from a public relations standpoint it really doesn’t look good that it seems to be a band of volunteers that is manning the barricades and doing an excellent job of it. [...]

  7. Wasn’t XP SP2 supposed to end those problems? WTF? What are you going to say one year from now, that we need to buy Windows Vista to get free of those hassles? What an embarassment this company is.

  8. Wasn’t XP SP2 supposed to end those problems? WTF? What are you going to say one year from now, that we need to buy Windows Vista to get free of those hassles? What an embarassment this company is.

  9. Forget blogs for a moment. Go to http://www.microsoft.com/security for a moment. Doesn’t really jump out at you that there’s a very serious exploit for a fully patched machine, does it? Only thing that really jumps out at me at first glance is that Automatic Updates is really important, although in this case, it wouldn’t help.

  10. Forget blogs for a moment. Go to http://www.microsoft.com/security for a moment. Doesn’t really jump out at you that there’s a very serious exploit for a fully patched machine, does it? Only thing that really jumps out at me at first glance is that Automatic Updates is really important, although in this case, it wouldn’t help.

  11. anon: no one at Microsoft EVER made that claim. I know, I was watching very closely.

    Are you going to say the same thing about other products that have security holes? I can point out a few to you if you’d like to do that.

  12. anon: no one at Microsoft EVER made that claim. I know, I was watching very closely.

    Are you going to say the same thing about other products that have security holes? I can point out a few to you if you’d like to do that.

  13. The plain truth as I see it is that we need more interaction from Microsoft regarding security.

    It’s such an important area that concerns us all, the dialogue needs to be more transparent.

    Channel9 is a perfect opportunity for these guys/girls to interact with us, I would strongly suggest they come and join us because there absense is noticed.

  14. The plain truth as I see it is that we need more interaction from Microsoft regarding security.

    It’s such an important area that concerns us all, the dialogue needs to be more transparent.

    Channel9 is a perfect opportunity for these guys/girls to interact with us, I would strongly suggest they come and join us because there absense is noticed.

  15. Scoble said “no one at Microsoft EVER made that claim. I know, I was watching very closely.”. Wrong; XP SP2 was recompiled with /GX to remove all buffer overflow cases. Plus XP SP2 was built in order to fill all holes related to basic entry points such like when browsing the net and being hit by a flaw without installing anything.

    I am not sure anyone said and accounted for something like “with XP SP2, a WMF cannot happen”. But face it, XP SP2 was supposed to bring this kind of shield to everyone.

    Months after XP SP2 shipped, XP SP2 was hit by the GDI+ flaw. Also a zero day exploit. You would think the Windows guys would fix those issues once for all. One thing we could say with the GDI+ flaw is that Microsoft failed to do that.

    I recall a company for which I worked, which fixed a bug for one of their big customers. The fix was actually only solving a use case that the customer described. Unfortunately, the lack of enough bugfix engineering caused the bug to appear again in a slightly different use case, which the customers also faced afterwards. Needless to say, bad day there. We were regarded as clowns, deservedly.

    It’s no surprise to see a WMF flaw. I don’t want to wait for next basic flaw to step in. This is just a shame. You work for a shameful company.

    I bought a XP SP2 laptop for my family, and I thought that at least they would not have to bother basic flaws. You have failed me. I am a customer and I rely on your operating system.

    As for holes in other products, sorry for having to say it, but you ship an operating system on most desktop PCs out there, not “another product”.

  16. Scoble said “no one at Microsoft EVER made that claim. I know, I was watching very closely.”. Wrong; XP SP2 was recompiled with /GX to remove all buffer overflow cases. Plus XP SP2 was built in order to fill all holes related to basic entry points such like when browsing the net and being hit by a flaw without installing anything.

    I am not sure anyone said and accounted for something like “with XP SP2, a WMF cannot happen”. But face it, XP SP2 was supposed to bring this kind of shield to everyone.

    Months after XP SP2 shipped, XP SP2 was hit by the GDI+ flaw. Also a zero day exploit. You would think the Windows guys would fix those issues once for all. One thing we could say with the GDI+ flaw is that Microsoft failed to do that.

    I recall a company for which I worked, which fixed a bug for one of their big customers. The fix was actually only solving a use case that the customer described. Unfortunately, the lack of enough bugfix engineering caused the bug to appear again in a slightly different use case, which the customers also faced afterwards. Needless to say, bad day there. We were regarded as clowns, deservedly.

    It’s no surprise to see a WMF flaw. I don’t want to wait for next basic flaw to step in. This is just a shame. You work for a shameful company.

    I bought a XP SP2 laptop for my family, and I thought that at least they would not have to bother basic flaws. You have failed me. I am a customer and I rely on your operating system.

    As for holes in other products, sorry for having to say it, but you ship an operating system on most desktop PCs out there, not “another product”.

  17. a deeper conversation about what corporations should do

    Gawd if you haven’t FIGURED that out by now. Learn from Firestone, learn from 200 years of American biz history. The response is weak, the answer is the FIX not more eternal conversations that don’t SOLVE anything. Fix now, internet time, and that doesn’t break other stuff. Tall order I know, but this is the world we live in. And your security reporting policies are half the cause, is you recalled my prior (failed) attempt at pointing out the irony there when you went on a Chicken Little spree.

  18. Scoble, let me ask you categorically: Do you think Microsoft’s response to this security flaw has been adequate?

    Does Microsoft intend to handle future security vulnerabilities like this? If so, I will be selling my PCs to buy more Macs.

  19. a deeper conversation about what corporations should do

    Gawd if you haven’t FIGURED that out by now. Learn from Firestone, learn from 200 years of American biz history. The response is weak, the answer is the FIX not more eternal conversations that don’t SOLVE anything. Fix now, internet time, and that doesn’t break other stuff. Tall order I know, but this is the world we live in. And your security reporting policies are half the cause, is you recalled my prior (failed) attempt at pointing out the irony there when you went on a Chicken Little spree.

  20. Scoble, let me ask you categorically: Do you think Microsoft’s response to this security flaw has been adequate?

    Does Microsoft intend to handle future security vulnerabilities like this? If so, I will be selling my PCs to buy more Macs.

  21. Robert,

    The best thing that you can do – is to take your camcorder and visit Security@MS team daily and ask for detailed 10-15 minutes report that the heck they were doing all this day. (This is something you are excel in)

    After everything will be patched – you can publish this video and clarify everybody that teams were working hard on this issue.
    If you will be unable to do this – or those reports will not be solid – this means that security team doing bad job and something must be changed internally. All talks about “This is confidential information”, “We can not disclose our internal process to public” is simply babytalk and will add more wood to fire. In such a important issue Microsoft must play fair and do not downplay it.

    Posting as MSRC blog (http://blogs.technet.com/msrc/archive/2005/12/30/416694.aspx ) is clearly downplaying:
    “some people who are still looking” – Yo! People give up!
    “I thought it would be helpful to let you all know what we know about this” – Yes. This helps me a lot.
    “situations such as this one very seriously. “ – Relax. This is not lonely issue.
    “attacker would have no way to force users to visit such a malicious Web site” – Two words – Google AdSence. They are doing good job in forcing people to visit some websites.
    “we will release that either through the regular monthly release cycle or out-of-cycle, depending on customer needs.” – We still don’t know if we are going to fix this in one week or faster or slower.
    “working very closely with our anti-virus partners and” – this has nothing to do with anti-viruses. I’m not willing to install antivirus and pay 50+USD /year to simply browse websites.
    “Have a safe and happy New Year!” – No comments.

  22. Robert,

    The best thing that you can do – is to take your camcorder and visit Security@MS team daily and ask for detailed 10-15 minutes report that the heck they were doing all this day. (This is something you are excel in)

    After everything will be patched – you can publish this video and clarify everybody that teams were working hard on this issue.
    If you will be unable to do this – or those reports will not be solid – this means that security team doing bad job and something must be changed internally. All talks about “This is confidential information”, “We can not disclose our internal process to public” is simply babytalk and will add more wood to fire. In such a important issue Microsoft must play fair and do not downplay it.

    Posting as MSRC blog (http://blogs.technet.com/msrc/archive/2005/12/30/416694.aspx ) is clearly downplaying:
    “some people who are still looking” – Yo! People give up!
    “I thought it would be helpful to let you all know what we know about this” – Yes. This helps me a lot.
    “situations such as this one very seriously. “ – Relax. This is not lonely issue.
    “attacker would have no way to force users to visit such a malicious Web site” – Two words – Google AdSence. They are doing good job in forcing people to visit some websites.
    “we will release that either through the regular monthly release cycle or out-of-cycle, depending on customer needs.” – We still don’t know if we are going to fix this in one week or faster or slower.
    “working very closely with our anti-virus partners and” – this has nothing to do with anti-viruses. I’m not willing to install antivirus and pay 50+USD /year to simply browse websites.
    “Have a safe and happy New Year!” – No comments.

  23. All you anti-Microsoft morons just need to get a life. All right its a flaw, but dammit they’ll fix it. You can do yourself a favor and turn on windows update. The minute they fix it and make it available, it will be installed automatically on your machine.

  24. All you anti-Microsoft morons just need to get a life. All right its a flaw, but dammit they’ll fix it. You can do yourself a favor and turn on windows update. The minute they fix it and make it available, it will be installed automatically on your machine.

  25. Updated: Unofficial WMF patch – Use at your own risk

    It’s with some hesitation that I write about the following item, because a.) it’s an unofficial patch that changes a key Windows files, and b.) I haven’t tried it myself. [See update below.] There is now an unofficial, third-party patch…

  26. Has microsoft been murdering puppies again? tut tut
    Just for that im going to call you M$ for two whole weeks.

  27. Has microsoft been murdering puppies again? tut tut
    Just for that im going to call you M$ for two whole weeks.

  28. What good would a MSFT blog do in this case? We would get one of the following:
    * Some techno-speak about what’s wrong (while I would find that interesting 99% of the people wouldn’t). And it doesn’t help anyone
    * Some intracompany smack down about how one department can’t code to save their lives. I, again, would find that interesting
    * Some unfounded claims about how Windows security is better than unix
    * A post about how this is due to sloppy programming, which is immediately pulled
    * How this will all be corrected in Vista. Oh wait Scoble already posts that for them
    * Why if those fools just did X and then Y and Z they wouldn’t have this problem. Oh wait they still do

    And on and on. Nothing really of value here in this situation.

    Where MSFT could have good blogs would be for their applications, like “I was playing around with Excel and found this neat way to do X” or “Tired of doing A, B, and then C to connect to a company VPN. Download this program and do it in one step”

    MSFT blogging about security is the ultimate putting of lipstick on a pig.

  29. What good would a MSFT blog do in this case? We would get one of the following:
    * Some techno-speak about what’s wrong (while I would find that interesting 99% of the people wouldn’t). And it doesn’t help anyone
    * Some intracompany smack down about how one department can’t code to save their lives. I, again, would find that interesting
    * Some unfounded claims about how Windows security is better than unix
    * A post about how this is due to sloppy programming, which is immediately pulled
    * How this will all be corrected in Vista. Oh wait Scoble already posts that for them
    * Why if those fools just did X and then Y and Z they wouldn’t have this problem. Oh wait they still do

    And on and on. Nothing really of value here in this situation.

    Where MSFT could have good blogs would be for their applications, like “I was playing around with Excel and found this neat way to do X” or “Tired of doing A, B, and then C to connect to a company VPN. Download this program and do it in one step”

    MSFT blogging about security is the ultimate putting of lipstick on a pig.

  30. Yes, the softie goons should definitely hold more meetings on this matter before deciding on a course of action.

  31. Yes, the softie goons should definitely hold more meetings on this matter before deciding on a course of action.

  32. You know,

    This is a perfect example where Robert’s normal “EVERYTHING MUST BE TEH OPUN” blows up. If we take Robert’s past rants on things, then, if MS followed his advice, the meetings on this would be streamed live, and we’d have webcams on the coders.

    This of course would be a disaster, and astoundingly stupid. Luckily, most of MS ignores that kind of idiocy. When you have a security problem, you keep your mouth shut on it, (other than eating your helping of crow for allowing it to happen, something MS is still dreadfully bad it for themselves, and quite good at it for everyone else), and fix the damned thing.

    But if Robert admits this is the right course, then he admits his “always open all the time” stance is not in fact a terribly good one, so he’s kind of got to soft-shoe it here.

  33. You know,

    This is a perfect example where Robert’s normal “EVERYTHING MUST BE TEH OPUN” blows up. If we take Robert’s past rants on things, then, if MS followed his advice, the meetings on this would be streamed live, and we’d have webcams on the coders.

    This of course would be a disaster, and astoundingly stupid. Luckily, most of MS ignores that kind of idiocy. When you have a security problem, you keep your mouth shut on it, (other than eating your helping of crow for allowing it to happen, something MS is still dreadfully bad it for themselves, and quite good at it for everyone else), and fix the damned thing.

    But if Robert admits this is the right course, then he admits his “always open all the time” stance is not in fact a terribly good one, so he’s kind of got to soft-shoe it here.

  34. The idea of MS is to provide a ‘forum’ for the Christopher Coulters of the world to voice their opinions and in due time dis all security issues as 10year old’s rants on the internet

  35. The idea of MS is to provide a ‘forum’ for the Christopher Coulters of the world to voice their opinions and in due time dis all security issues as 10year old’s rants on the internet

  36. Met, sigh, get a dictionary, look up the word “parody”.

    Anyways, I know this is big (or spreading) as one family member and 2 firends got hit, I hafta trudge down morrow to fix a few computers. Sure wish I could bill Microsoft, or sue the releaser.

  37. Met, sigh, get a dictionary, look up the word “parody”.

    Anyways, I know this is big (or spreading) as one family member and 2 firends got hit, I hafta trudge down morrow to fix a few computers. Sure wish I could bill Microsoft, or sue the releaser.

  38. Umm the WORLD gets hit by Microsoft’s problems. You think only my friends and family are victims? Have you checked your blog feeds? It’s all over. What arrogance. They are END USERS, not geek techies, of course stuff like this will impact them. It’s just that I get the ‘call’ whenever something happens. :)

  39. Umm the WORLD gets hit by Microsoft’s problems. You think only my friends and family are victims? Have you checked your blog feeds? It’s all over. What arrogance. They are END USERS, not geek techies, of course stuff like this will impact them. It’s just that I get the ‘call’ whenever something happens. :)

  40. And do what? Tell him to reformat and reload the OS from known good media after backing up files that aren’t affected?

    That’s all you can do robert when your machine is attacked successfully. You can’t know what files were affected, so the only safe action is to back up data files, and reinstall all OS and application files.

    This “oh repair the damage” is how rootkits live on and do more damage. This is why this kind of thing is so damaging

  41. And do what? Tell him to reformat and reload the OS from known good media after backing up files that aren’t affected?

    That’s all you can do robert when your machine is attacked successfully. You can’t know what files were affected, so the only safe action is to back up data files, and reinstall all OS and application files.

    This “oh repair the damage” is how rootkits live on and do more damage. This is why this kind of thing is so damaging