RSSMicrosoft Rushes Out WMF Security Fix
By Nate Mook | Published January 5, 2006, 5:22 PM
Just days after announcing plans to release a patch that fixes a security vulnerability in Windows Meta File image processing on January 10, Microsoft has rushed out the update early. The company said the patch was ready earlier than expected and its decision was based on feedback from partners.
WMF, or Windows Metafile, is a vector based image format used by Microsoft's operating systems. SHIMGVW.DLL is loaded to render the images and contains a flaw that opens the door for a malformed WMF image to cause remote code execution and potentially allow for a full system compromise.
"So what changed to make us decide to release an update today? Two things: The first is that we have an update that we believe in. The team worked very hard to run all of the key scenarios that we are concerned about," explained Mike Nash, corporate vice president for security at Microsoft.
"While we would always like to have more time, we are confident in the quality of the update. The second issue is that while there is no imminent threat, a number of customers are seeing exploit traffic hitting their AV, IDS and IPS systems."
Microsoft consulted partners about the out of band update, who recommended the company release the update as soon as possible.
"I reminded them of their past feedback about out of band updates being an inconvenience and their preference for the monthly release schedule," Nash said. "Overall, they felt that we had made these out of band releases so infrequent, that doing it once when it matters was not a big deal."
Nash suggests that customers install the patch immediately. Customers can download the fix through Windows Update or Microsoft Update, and enterprise customers can receive it through SUS.
"With the update available today, you certainly have the choice of deploying now or waiting until your normal release process. If it were my decision, I would move up the schedule," he added.
I've removed WMF support from my windows, and my Mandriva doesn't support it at all :P...
The only thing thats in WMF is the Office clipart. Office is evil anyway, IMO... I use alternatives.....
Anyway... I'm usually the first to complain about MS security, but I think they did the right thing here :P
Score: 0
|"The first is that we have an update that we believe in. "
They should have left that comment out. It's just ripe for all sorts of comments about the rest of the updates they *didn't* believe in.
*shrug*
I'm no PR rep, but that just *really* didn't need to be said. Talk about opening yourself up.
Score: 0
|You took it COMPLETELY out of context. He said:
"So what changed to make us decide to release an update today? Two things: ..."
That has NOTHING to do with the ANY other product, just this one, and why they released it when they DID.
ANY company has to believe its a solid update, before its released, and they do it for EVERY rollout of an update.
Score: 0
|lmao...
Okay, man.
Okay.
Score: 0
|Minor correction: there was no error in SHIMGVW.DLL. The only reason that MS recommended that you unregister it is because it was one of the largest attack vectors that malformed Windows Metafiles could be rendered through. Unregistering it really did nothing to fix the vulnerability, but to rather reduce the attack surface. As someone has already mentioned, the MS patch updates the gdi32.dll and cdfview.dll libraries, but does not touch SHIMGVW.DLL, which you have listed as the troublemaker.
Score: 0
|Removed Duplicate Post
Score: 0
|Anyone interested in direct downloads for various OS's can check here
http://www.veign.com/blo...eased-by-microsoft.html
Score: 0
|So I can go to some random blog site for direct downloads, or I can go to Microsoft.com and Microsoft Update for immediate, safe, direct download? Hmmm.
Score: 0
|Or better yet, go directly to Microsoft for the original:
http://www.microsoft.com.../bulletin/ms06-001.mspx
Score: 0
|LOL
Score: 0
|Good job Microsoft. I would have rather you take the time to ensure the patch didnt cause problems than to hurry it out and have other issues arise unlike others on these forums who do nothing but bad mouth microsoft. Great job on the quicker than average release
Score: 0
|you are maybe lone soul here, at first I thought to myself...what a nice written sarcasm =)
but I am too lonely warrior explaining antarctica's fauna way how to patch correctly...but they'll never understand (open source...EVERYONE can look at code and patch it in a hour!!!!!!!!!!!!!!!!!!), maybe they will once they'll get past 1% of userbase...
Score: 0
|I agree with Metshrine... considering the millions of users affected, and thousands of applications affected, I prefer stability and proper testing over some rushed out bug that would cause me to listen to JacenSolo and the likes whine about how it caused their systems to Blue-Screen after being installed. (No offense Jacen, but you know you would, lol.)
Score: 0
|They're damned if they do, damned if they don't on this stuff. If they release it early, people get pissed about a rushed patch. If they release it on time, they risk a major system outage and people badmouthing them for NOT rushing it out. :)
Score: 0
|lmao...
Hell, I don't know anyone who wouldn't b**** if they're system blue-screened after a patch....do you?
Score: 0
|I'd laugh personally.
Score: 0
|I thought of the same thing.
Score: 0
|It was leaked, so they didn't release early it by choice.
Cross your fingers and hope all is well with it.
Can't blame them if it's not because they said that it still needed to be tested.
Score: 0
|Okay, let me rephrase:
Hell, I don't know any /Windows user who isn't thrilled every time their PC crashes/ who wouldn't b**** if they're system blue-screened after a patch....do you?
Better? I'd think if someone used WIndows regularly...depended on it, even, that a patch to fix something instead broke it would be just a bit miffed.
Now, a Linux user watching this happen to someone else using a windows box...they'd probably laugh their asses off.
Score: 0
|Interesting, because my Spysweeper utility broke within an hour after the patch. Don't know if the patch was responsible, as there was a Spysweeper definitions update applied earlier that day as well, which could have been the culprit. Anyways, a reinstall fixed it and no problems since.
Score: 0
|I have lots of Windows machines.
I'd still laugh.
Just did it yesterday. ;-)
Of course I chuckle when I see a kernel panic too.
Score: 0
|The download is available on FileForum: http://fileforum.betanew...s_XP_32bit/1136497012/1
Score: 0
|Good! I'm glad they got it finished early for a change. No problems with the patch on my XP PRO and Home systems either...
Score: 0
|For those of you who've installed the workaround from earlier this week, don't forget to uninstall it first before applying the MS patch. Re-register the shimgvw.dll (regsvr32 %windir%\system32\shimgvw.dll) as well.
The patch looks to mod at least the gdi32.dll and cdfview.dll files in the system32 folder of XP. This is not meant to be breaking news, only an observation.
The patch went smoothly on my XP Pro and so far nothing's broken.
Score: 0
|there really isn't a need. both patches are compatible with each other.
Score: 0
|Okay, I wasn't sure, but is it worthwhile keeping both? The MS patch is "official" while the workaround is 3rd party.
Score: 0
|If you no longer need the "hack" I'd strongly recommend removing it.
It may be 6 mos down the road before something interferes with it.
Unless of course the patch eliminates the hack, (which I don't believe it does) then I wouldn't worry with it.
Score: 0
|Agreed.
Score: 0
|