Setting the record straight on the WMF vulnerability

Setting the record straight on the WMF vulnerability

Summary: It's seems normal that the year in technology ends with a critical Windows vulnerability. George Ou is setting the record straight on the critical WMF vulnerability, including the worthless fixes and the real fix, which results in Explorer being unable to display thumbnail images.

SHARE:
TOPICS: Security
13

It's seems normal that the year in technology ends with a critical Windows vulnerability. George Ou is setting the record straight on the critical WMF vulnerability, including the worthless fixes and the real fix, which results in Explorer being unable to display thumbnail images. Microsoft has been improving on the security front, but it's still a large and inviting target of code, developed in an age in which security wasn't the top priority, for those who want to exploit vulnerabilities. For reference, below is a list of the top 10 Windows vulnerabilities from the SANS/FBI Top 10 list: 

Internet Information Server (IIS)
Microsoft Data Access Components (MDAC) -- Remote Data Services
Microsoft SQL Server
NETBIOS -- Unprotected Windows networking shares
Anonymous Logon -- Null sessions
LAN Manager Authentication -- Weak LM hashing
General Windows Authentication - Accounts with no passwords or weak passwords
Internet Explorer
Remote Registry Access
Windows Scripting Host

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • US-CERT on vulnerabilities by OS

    and Windows is not number one.

    http://blogs.zdnet.com/Spyware/?p=736
    Suzi_z
    • In light of this

      ... can you still say:

      "Oh, and let's not forget the most important method of prevention. Go out and buy a Mac, or ditch Windows and start running Linux. TODAY!!!"
      http://blogs.zdnet.com/Spyware/?p=735
      george_ou
      • Psst!

        ...I think it was tongue-in-cheek ;)
        paperghost
        • lol

          Paperghost got it right. :) Personally I like Windows and I don't get infected. These people who says Linux is *the* answer wear on my nerves.
          Suzi_z
          • Hooray!

            Looks like I win a cookie ;)

            Apologies for the double post, too - seems to be a gremlin in the works when trying to post on here at present. And happy new year to all (except the virus writers, of course. Those guys can jump off a cliff).
            paperghost
          • Ok, you got me

            I should have read more carefully.

            Happy New Years!
            george_ou
          • Ok, you got me

            I should have read more carefully.

            Happy New Years!
            george_ou
      • Psst!

        ...I think it was tongue-in-cheek ;)
        paperghost
  • I think PJ examined this list on Groklaw.

    http://www.groklaw.net/article.php?story=20051231142317870
    Zogg
    • They won't read it

      They will claim something like bias or something. When in fact the other operating systems... besides Windows- includes all Unixes, including the very dated SCO Unixware, and Mac OSX and includes the same vuln for Unix multiple times for example the one sendmail flaw was counted over 4 times. Really that chart can't be usesd to match vulns like they are trying to- a quick inspection of it would tell you that. Not to mention the many of the listed Windows and Unix vulns are for third party apps...

      Really shows where the bias is.
      Edward Meyers
  • SANS has an unofficial patch

    The SANS Internet Storm Center (isc.sans.org) has an unofficial patch for this vulnerability. Scroll down the page to the "WMF FAQ" article and then go down to the fourth question, "What can I do to protect myself?"
    a__l__a__n
  • So proprietary file formats

    are NOT so great! If it were STANDARD then there would be no way to pervert its use!
    Roger Ramjet
  • Windows is getting much better

    I'll be very interested to see if Microsoft was able to put some of this "knowledge learned the hard way" to use in the design of the next version, Vista.

    At times I would have said that IE was so bad, it should be listed twice on any top ten list of Windows vulnerabilities.
    WiredGuy