I guess this is one of those moments where I get to say thank you to those who were the true early responders. Thanks to you I was able to make an accurate as well as timely estimate of the risks and I helped many others take early preventive action. Feels good to have provided a useful service that lowered risk way ahead of the curve.
With that in mind I just received confirmation directly from Microsoft that they have been working on ISPs to block or even shutdown sites known to be hosting the WMF exploit code. They also said that a patch may be possible prior to Tuesday, but that doesn’t honestly impress me much since it’s already Thursday, Jan 5th and the hole has been on our radar since at least Dec 28th. I’m not going to look a gift horse in the mouth, so to speak, but we practice defense-in-depth because a patch from the vendor is just one of many controls that need to be in place. Patching a few days early would be great, but I have been holding most systems out from hexblog (except in isolated cases) because of the percieved higher value of rolling thousands of patches cleanly with no side-effects. Risk and trade-offs, eh? So far so good.
MS also mentioned that their security team is trying to put together a list of sites to block. Well, I think many of us have been doing that ourselves since the 28th as well as monitoring traffic based on a set of open-source rules available since the 30th. So I welcome the update from MS, but my guess is that they are tapped into the same sources we are and will just add polish to an otherwise excellent effort by the security community at large. Not so much a value-add as a, “really, you too, no kidding?”
And that just reminds me of the early 1980s when Gates was famous for railing against the BBS operators and public disclosure forums as wasteful amateurs who were harmful to the market. He might want to take a moment and apologize (or maybe even donate to open-source efforts like snort) since it is exactly these community and non-profit forums that have been most helpful in protecting our Windows systems from disaster these past two weeks. Thank you to those who provided the real alert and have been working on this with me in advance of our “official” meeting with Microsoft today.
I had some other questions for Microsoft that they seemed unable to answer, but they said the security team will be calling me back to discuss further. In a nutshell, they’re getting ready to issue a preventive control update, but at this point we’re up to our eyeballs in preventive controls and need to validate the detective end of the spectrum to assess the success of the patch. Trust, but verify, right?
Oh, and I have to admit that we have one confirmed case of One Care cleaning the WMF exploit from a test system, which is very heartening, but I also have to say that the discussion immediately afterwards turned to “Have you tried Vista? No you should test it. No way man, you should test Vista. Not me, I just bought a Mac, you test it…”