RE: WMF Exploit Patch Released

Hi Matthew,

Sadly, it isn't so much Microsoft saying you should upgrade for this
patch, but Microsoft saying you should have upgraded from Windows NT 4.0 a
long time ago. NT 4.0 has been being retracted from the market since 2001.
It was declared closed for normal support in 2003. They are now phasing out
extended support in 2005. Windows NT 4.0 first showed up back in 1996. We
have since had 98, Me, W2K, XP, and now Vista is coming. The server end has
seen W2K and 2003 with a service pack. Should an OS be supported for ten
years past its inception?

Will there be a WMF patch for Windows 95 as well? One way to look at
things is that Microsoft is an evil empire sticking it to the man. One
might also say they are the average business with new products.

Regardless of motive, it honestly costs more to maintain NT 4.0 at this
point than to upgrade to a newer OS. Red Hat 4.0 also came out in 1996.
The amount of patching, manual configuration, and manual administration
involved in a product that has seen its day come and go is much more
expensive than migration. There is also a fair amount of default security,
productivity, and usability gains in the newer versions of these products.

You can still run programs dating back to Windows 95 and NT 4.0 and even
DOS on Windows XP. That's a lot of overhead Microsoft built in to ease
transitions. Skipping one OS version for cost reasons can certainly make
sense, but if you are making things last and your workstations and servers
have a five year lifecycle, so should their operating systems.

Just for some perspective on 1996:

Dell opened internet sales.

Netgear was founded.

Google was first developed.

Sony entered the PC market.

Microsoft introduced Windows NT 4.0 and Windows CE 1.0.

Sun introduced the Ultra workstation family and licensed Java.

Seagate released the original 10k Cheetah drives at 6GB.

Intel released the 200MHZ P6. The 266MHz PII didn't come until 1997.

I do wish you the best of luck in patching NT 4.0 systems if you are truly
stuck with them, but my recommendation to anyone still on NT is to use this
as one more reason to present the idea of a new OS to management this year.

Sincerely,
Donald

-----Original Message-----
From: Matthew Schiros [mailto:schiros@xxxxxxxxx]
Sent: Friday, January 06, 2006 12:47 PM
To: info@xxxxxxxxxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: WMF Exploit Patch Released

According to Microsoft, WinNT4 and Win2k SP3 users are out of luck.
Their reccomended "solution" is to upgrade your software to a
supported version. Obviously, all this means is that they have no
solution at all, but this is hardly the first time that MS has stuck
it to WinNT4 users as part of an attempt to get them all moved over to
2k SP4. As for the viability of disabling the DLL's in question,
while I haven't had any problems as a result of doing that on the 2k
boxes in the office, I haven't had the opportunity to test its impact
on NT systems. That seems to be the only way of removing the exploit
from your machines though, and I'd be interested in knowing the
results of your attempts.


On 1/6/06, info@xxxxxxxxxxxxxx <info@xxxxxxxxxxxxxx> wrote:
>
>
> Hello Everyone,
>
> Unfortunately there are company who are still running NT4 and I was
> wondering which alternative do they have
>
> to face this security breach from the fact that Microsoft do not provide
any
> patch for NT4 .
>
> Do they have to disable GDI32.DLL and WGDI32.DLL as suggested previously
for
> SHIMGVW.DLL?
>
> Regards.
>
> Ernest Matos
>
> IT Security
>
>
> -----Original Message-----
>
> From: Matthew Schiros [mailto:schiros@xxxxxxxxx]
>
> Sent: Thursday, January 05, 2006 10:51 PM
>
> To: security-basics@xxxxxxxxxxxxxxxxx;
> bugtraq@xxxxxxxxxxxxxxxxx
>
> Subject: WMF Exploit Patch Released
>
>
>
> Microsoft has released a patch for the WMF exploit a couple of days
>
> early, apparently due to a faster-than-expected testing process, and,
>
> at least I hope, some consumer pressure. It can be downloaded via
>
> Windows Update, or as a standalone install at:
>
> http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
>
> As a note, it appears that all of the attempts to circumvent the
>
> problem via disabling SHIMGVW.DLL were irrelevant, and that those who
>
> discovered that GDI32.DLL and WGDI32.DLL were the culprits were
>
> correct.
>
> Happy crawling.
>
> Matt Schiros
>
> Web Developer
>
> Academic Superstore
>
> www.academicsuperstore.com
>
>
---------------------------------------------------------------------------
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
>
> The Norwich University program offers unparalleled Infosec management
>
> education and the case study affords you unmatched consulting experience.
>
> Tailor your education to your own professional goals with degree
>
> customizations including Emergency Management, Business Continuity
Planning,
>
> Computer Emergency Response Teams, and Digital Investigations.
>
> http://www.msia.norwich.edu/secfocus
>
>
----------------------------------------------------------------------------

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------

Relevant Pages

  • Re: Is running a patch that changes something in Windows XP permis
    ... again for a Microsoft MVP: I have been trying to understand what the ... Windows XP versions before SP2 the system was recognised as SP2 RC1. ... > some things to quote here that tell us that the patch probably does not ... > change the value of TcpNumConnections in the registry and that there isn't ...
    (microsoft.public.windowsxp.general)
  • So Windows Update is a dog, now what?
    ... extension, that means that the soon-to-be-released Windows Update, ... How about someone getting serious about patch management over at ... In their explanation of the severity rating scheme, the Microsoft ... incredibly reliable mechanism for getting patches onto systems, ...
    (NT-Bugtraq)
  • Re: Daylight Savings Time 2007 and Windows 2000 Server...
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... support older versions of their software as well as Microsoft. ... patch for this problem but to also thoroughly test it and develop the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Daylight Savings Time 2007 and Windows 2000 Server...
    ... support older versions of their software as well as Microsoft. ... patch for this problem but to also thoroughly test it and develop the ... Windows 98? ...
    (microsoft.public.windows.server.active_directory)
  • Re: WMF Exploit Patch Released
    ... using this patch as an attempt to push users away from NT 4.0. ... there are many viable replacement OS's put out by Microsoft since. ... > Will there be a WMF patch for Windows 95 as well? ... >> The Norwich University program offers unparalleled Infosec management ...
    (Security-Basics)