Microsoft’s WMF patch leaves many unprotected



January 7th, 2006

John Herron of NIST.org makes a point that many PCs have been left unprotected from the [tag]WMF exploit[/tag] because of the need to have updated service packs to install the patch or the absence of a patch for Windows 95, Windows 98, Windows 98SE, Windows Millennium Edition, and Windows NT 4.

Thank you [tag]Microsoft[/tag] for blessing us with a patch to fix the products you currently sell. The products that compete with Linux and Macintosh. Excellent job at diverting the our attention away from the fact that Windows 95, Windows 98, Windows 98SE, Windows Millennium Edition, and Windows NT4 remain vulnerable. Neat trick convincing people that "the vulnerability is not critical because an exploitable attack vector has not been identified that would yield a Critical severity rating for these versions."

I'm far more concerned about the patch needing SP4 on Windows 2000 than I am about Windows 98/ME.  Why?  Because it's difficult (very difficult, if not impossible) to infect a Windows 98/ME system (many viruses and spyware don't support older operating systems).  Also, if you want it, there is an unofficial patch that works from NOD32 that works.

No, I'm more worried about the Windows 2000 requiring SP4.  This service pack isn't as widely installed as it should be and this is going to leave a lot of corporate users unprotected.

SANS has coverage on the WMF exploit on Windows 98/ME.

This entry was posted on Saturday, January 7th, 2006 at 16:45 and is filed under Stay Secure. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.