Monday, January 02, 2006

The Power of Open Source

One of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 criticisms of open source software is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no one to blame when a customer needs a problem solved. For example, if an open source OS or application is found to suffer a vulnerability, no one is seen to be responsible for patching it. Following this line of thinking, commercial software is considered a superior choice for consumers (whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r corporations or individuals). When a problem happens, users can rely on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor.

The recent SANS ISC post about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WMF vulnerability has completely annihilated this argument. I have criticized SANS in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past, but I cannot fault cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir handling of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ongoing fiasco. I've never seen anything like this plea by Tom Liston before:

Looking forward to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 week ahead, I find myself in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very peculiar position of having to say something that I don't believe has ever been said here in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Handler's diary before: "Please, trust us."

I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Microsoft WMF vulnerability is bad. It is very, very bad.

We've received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable.

Acceptable or not, folks, you have to trust someone in this situation.

To cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best of my knowledge, over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it. Now we're going to expend some of that hard-earned trust:

This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unofficial patch. You need to trust us.


The unofficial patch Tom references was written by Ilfak Guilfanov and described here. What is this? It's a patch created by a non-Microsoft developer, acting more rapidly than Microsoft itself. Sure, you can argue that Microsoft is working now to develop a patch that will hopefully address deeper problems, perhaps serious problems. Nevercá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365less, SANS has reverse engineered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 unoffical patch to ensure its validity, wrote a FAQ about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability, and is now hosting a .msi to ease patch installation. This is unprecedented.

Where is Microsoft on this issue? They published cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir initial advisory on 28 Dec and updated it 30 Dec. Nothing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y've done has helped resolve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue. Meanwhile, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Metasploit project has released a module to generate malicious WMF files. This puts exploit creation in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hands of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lowest common denomintaor.

F-Secure reports cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WMF issue is truly "a feature, not a bug," due to Microsoft's design of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WMF format. In fact, F-secure says

"'The WMF vulnerability' probably affects more computers than any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security vulnerability, ever."

Everyone who paid good money to Microsoft to fulfill its duty as a commercial vendor selling closed, proprietary software is still waiting for an official patch. Meanwhile, users are owned by exploit spam and targeted WMF email attacks. Remember this example cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next time your management refuses to allow running open source software because "no one is responsible for problems."

When private third parties like SANS and Ilfak Guilfanov have to step up to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 plate to save cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 argument for exclusively running closed, proprietary software with a poor security record is weak indeed.

Note: I do not mean to unduly criticize Microsoft employees. I know several of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m who are really sharp. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 day, however, Microsoft as a corporation is AWOL on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 WMF issue.

Update: SANS has temporarily pulled cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir .msi. However, I just installed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 original .exe on a Windows XP SP2 system without incident. I also unregistered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 shimgvw.dll library. Ilfak Guilfanov's patch creates this directory on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host:

C:\Program Files\WindowsMetafileFix>dir
Volume in drive C has no label.
Volume Serial Number is 30EF-BD7B

Directory of C:\Program Files\WindowsMetafileFix>

01/02/2006 08:52 AM DIR .
01/02/2006 08:52 AM DIR ..
01/01/2006 12:38 PM 155 compile.bat
01/01/2006 03:54 PM 1,141 Readme.txt
01/02/2006 08:52 AM 3,537 unins000.dat
01/02/2006 08:52 AM 673,546 unins000.exe
01/01/2006 03:41 PM 7,022 wmfhotfix.cpp
5 File(s) 685,401 bytes
2 Dir(s) 3,207,041,024 bytes free

C:\Program Files\WindowsMetafileFix>type Readme.txt
MS WINDOWS METAFILE VULNERABILITY HOTFIX v1.3

PLEASE READ THE FOLLOWING CAREFULLY!

This is a temporary fix for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MS Windows
Metafile file vulnerability:

http://www.hexblog.com/2005/12/wmf_vuln.html

It has been tested on Windows 2000, Windows XP,
and Windows XP Professional 64bit.
Please use it at your own risk and switch
to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 official patch from Microsoft as soon
as it is be available.

THIS FIX IS PROVIDED 'AS IS' WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF FITNESS
FOR A PURPOSE, OR THE WARRANTY OF NON-INFRINGEMENT.

IN NO EVENT SHALL ILFAK GUILFANOV BE LIABLE TO YOU
OR ANY THIRD PARTIES FOR ANY SPECIAL, PUNITIVE,
INCIDENTAL, INDIRECT OR CONSEQUENTIAL DAMAGES
OF ANY KIND, OR ANY DAMAGES WHATSOEVER, INCLUDING,
WITHOUT LIMITATION, THOSE RESULTING FROM LOSS OF USE,
DATA OR PROFITS, WHETHER OR NOT HE HAS BEEN ADVISED
OF THE POSSIBILITY OF SUCH DAMAGES, AND ON ANY THEORY OF
LIABILITY, ARISING OUT OF OR IN CONNECTION WITH THE USE
OF THIS SOFTWARE.

Copyright 2006 by Ilfak Guilfanov, ig@hexblog.com
http://www.hexblog.com

As you can see, you can inspect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 .cpp file and compile it yourself if you do not want to run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 compiled wmffix_hexblog13.exe.

1 comment:

Anonymous said...

Beyond what you have said, I'm impressed by Ilfak's willingness to create versions which work on Win2K, etc. I mean, here's a guy who contributes code, and when people say "Yeah, but does it work on win2k? What about SP3? An MSI would be better", instead of saying "If you want that, write it", he says "I'll see if I can get to it". A day later, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re it is.

I sure hope this guy has been taking care if his liver, because he's going to be getting a ton of free drinks out of his work on this.