A user and a security engineer arrived at the business site together.
The user placed his bicycle against the wall, and walked
towards the door.
The security engineer stopped him and said “You forgot to
lock your bicycle.”
The user thanked the security engineer, and went back to lock
On the way, he noticed the security engineer’s bicycle was leaning
against the wall, unlocked.
“You forgot to lock your bicycle,” the user called to the
The security engineer responded “No, I didn’t.”
Catching many security professionals by surprise, Microsoft has released an “off-cycle” patch for the recent WMF exploits:
A couple of things to note:
- Off-cycle means that Microsoft thought that this was important enough to ship early. That’s a hint that they reckon that a significant number of their users will be affected by this, and the influx of new tech support calls and bad PR due to the patch will be less than the influx of new tech support calls and bad PR due to the exploit.
- Microsoft have been getting much better at providing reliable patches, so that “significant number” should actually be relatively low in percentage terms.
- The behaviour being exploited is not a buffer overflow. It’s doubtful whether you can call it a bug. It’s by design. The WMF design is lifted straight from the API instructions you’d send to a printer, and those APIs allow the calling program to specify “in the event of an error rendering this image, call me back”, and provide an address to call into. Where this breaks is in allowing a data file to contain that code.
- Data files are code. Code files are data. There is no spoon.
- Unofficial patches are generally inadvisable, for most users. “To avoid unknown third parties installing code on my machine, I will install code on my machine from an unknown third party.” Make sure you have reason to trust any third party whose code you install. Maybe the unofficial patch floating around for the WMF exploit is good and trustworthy, but it’s a risk you should consider.