A saga do WMF


O Security Zero publicou uma crítica em relação as ações da Microsoft com relação à recente brecha de segurança no sistema de renderização de imagens, que afeta todas as versões do Windows:

Once upon a time, 27th December 2005, a pestilent bug in the graphical rendering engine (gdi32.dll) started to put at risk every Windows box on the planet. And even Linux ones which used to work with WINE emulation package.

To gain momentum the well-known security expert H D Moore developed an early exploit for its well-known (and much appreciated) open source penetration test plaform: Metasploit.

At the same time, to gain momentum, the well-known developer Ilfak Guilfanov, author of its well-known (and much appreciated) binary disassembler, IDA Pro, developed an unofficial patch.

At the same time Microsoft started developing and testing its own official patch which was planned for release 15 days later.

Immediately after the SANS, the well-known (and much appreciated) organization for security awareness, for the first time in its whole story, released a vulnerability FAQ urging people to go and use the unofficial patch.

Immediately after Microsoft released a webcast to deprecate the unofficial patch use, warn of eventual compatibility issues (which arrived) and defend its position adducing testing an official patch against every Windows variant takes a lot of time.

Immediately after, to gain momentum, ESET, the well-known (and much appreciated) organization developing NOD32 antivirus, released a second unofficial patch.

Immediately after Microsoft inadvertently leaked an unofficial pre-release patch, which was adviced as unstable and untested and therefore not worthy for installation.

5 days before the planned date (and 10 days since the vulnerability discovery) Microsoft released the official patch.

At the same time 2 SecuriTeam bloggers, the well-known (and much appreciated) security portal, disassembled the official patch and compared it against the Guilfanov unofficial one, resulting in identical solutions.

At the same time legacy Windows and Linux users discovered they wouldn’t be safe at all cause Microsoft released no patch for them.

Immediately after 2 new WMF vulnerability variants were disclosed.

Immediately after Microsoft minimized impact of these new flaws.

Immediately after, to gain momentum, the well-known (and much appreciated) developer and security expert Steve Gibson claimed original WMF vulnerability to be a Microsoft backdoor to reach worldwide Windows computers.

Immediately after Microsoft security program manager Stephen Toulouse answered the claim denying the imputed intentions.

Immediately after a Linux News member started asking everybody why this happened when Microsoft reports to spend $10-$50 million dollars in security.

A matéria original contém links para todas as referências citadas:


Sobre o Autor

Redes Sociais:

Deixe seu comentário