| When there’s blood in the water, don’t go swimming. I hope you didn’t think we were all done with our WMF problems. |
I’m not going to go over all the details of the WMF vulnerability and patch here. My fellow columnists have that well covered. I do wish to point out that it’s an important example of what the patch lifecycle now looks like for a special case.
What we learned from the WMF process
When Microsoft began its once-a-month patch release schedule in November 2004, there was a lot of concern that high-priority patches might be held back until the official day. One example scenario was, “What if there was a zero-day vulnerability being actively exploited? Would Microsoft release the patch as soon as it could?” People felt that there would no longer be any reason to try to keep a vulnerability secret if it was already in the wild, so Microsoft shouldn’t wait until the 2nd Tuesday to release such a patch.
I’m happy to report that Microsoft seems to have met — and possibly exceeded — everyone’s expectations with the WMF patch. The company initially reported that a patch would be ready by Patch Tuesday, Jan. 10, 2006. That would have been about 15 days after the flaw’s discovery. (Discovery by the good guys, that is. It appears that exploits had been in the wild since Dec. 1, 2005.) For Microsoft, and many other vendors, 15 days is a pretty good turnaround. Then Microsoft beat that by almost a week, releasing MS06-001 on Jan. 5.
So kudos to Microsoft for handling this patch well. Now on to the problems that remain.
Thrill-seekers go trolling for exploits
One problem with patching a hole in a previously unexplored piece of software is that sharks — vulnerability researchers, in this case — now smell blood. I don’t mean to use the word “sharks” in a disparaging sense. Many of these guys are friends of mine. I use it in the sense of “efficient predator.”
Everyone who likes to dissect vulnerable software has now had a detailed look at this vulnerability. They’ve disassembled the code, figured out exploit details, and mapped out all the exploitation vectors on the various Windows platforms. Even WINE, an open-source Windows compatibility layer for Unix, has been found to implement the flaw, according to H.D. Moore.
This means they’ve found other security problems in the same piece of code. I’ve been watching the vulnerability research world for a number of years at a macro level. One thing I’ve observed is that all it takes is a hint that there is a problem somewhere and, usually within days, someone has found the problem, or one that’s right next to it.