How I knew about the WMF vulnerability, and how you can too. Also, why I took the stance that I took.


Hi everyone,

Thankfully, the worst is over (crossing my fingers, toes, and eyes). Microsoft released their patch yesterday, and people are downloading and installing it. Antivirus companies are able to detect test files for the wmf vulnerabillity (at least Avast! has been able to detect the few files I’ve tried to test). So, the cyber-world is a safer place– in as much as it can be.

A few people have asked me how I knew what was going on so quickly. The answer is, like you (anyone who is reading this blog), I relied on someone else to tell me. The link in my title points to SANS ISC’s InfoCon page. It shows the same InfoCon that I have on my blog here, and it also has links to the InfoAlert.zip file. That file, was my first indicator of the problem. It sits in your systray, and shows a little globe that is either Green, Yellow, Orange, or Red– depending on what SANS sets the state of the Internet at. When I saw it was Yellow, I started to check their site for information.

So, now you know how I knew about it. But, there are people who are saying that the security organizations overblew the issue. And, there are people who are saying that they acted perfectly in line. One of the interviews that I saw, implied (directly more then anything) that some people were posting just to draw attention to themselves.

Here’s where I stand. Yes, to a minor extent, I was hoping that people would read my blog. That’s something that everyone, including the technical writers at Microsoft hope when they publish something. As for whether I agree with the Security agencies or Microsoft in how this was handled, I agree with the Security agencies.

I’ve made it known in other posts as well as this one, that I love Microsoft to an extent. I also love Linux, and Open Source. I think that they can, and should, walk hand-in-hand. But, I don’t care what program or Operating System it is. If I hear of something that is deemed Critical (or potentially Critical), or something that causes that InfoCon to go above Green, I’m going to urge EVERYONE to do whatever will make their computers more secure then they are. Even if that means calling on the vendor to release a patch immediately, or urging people to install an unofficial patch.

There is an article on BetaNews that talks about how there were 5,198 vulnerabilities in both Windows and Linux. This is a lumped list, in that all applications which are affected on the Windows OS, are counted towards Windows. All of the applications which affected Unix or Linux, are counted towards the Unix/Linux side. More importantly then the list, is the comments (mine included). While people are debating that Linux is better then Windows, and Windows is better then Linux, a few people are pointing out that it doesn’t matter which had fewer issues. One security issue, is one issue too many.

As I pointed out in one of my comments, when I took Computer Science courses 10 years ago, we were taught 1) Structure your code. 2) Make your code understandable and maintainable by others. and 3) Bug-check your code until it is as perfect as you know how to make it. Nowadays, it seems like the mentality (IMHO) is that “we have to make the money, so get the product out now. We’ll fix the bugs later.”. Open source isn’t any better, in that regard. They want to get their product exposure, as much as the closed-source people want to get their product sold. So, they don’t get 100% of the bugs fixed before they release the product.

So, until that mentality is changed, it’s up to the end-users (you) to make sure their computer is secure. If you hear about a security issue, take whatever steps you need to make sure you’re not hit by it. Unfortunately, it’s not like the 80’s and 90’s, when you could conceivably have a computer without an antivirus program, or even worry about catching a virus. Nowadays, it’s not a friendly world, in that respect. And more and more, you don’t have an option, except to own (or use) a computer. And, more and more, you don’t have an option, except to go online for something (be it informaiton or to purchase a product or whatever you choose).

So, stay safe and secure. Keep your antivirus, antispyware program(s), and firewall updated regularly. And, keep watching the news, security sites, or blogs (regardless of whether it’s this one or another one). And take whatever precautions you decide are warranted for your security.

Patrick.

Leave a comment

Your email address will not be published. Required fields are marked *