Security UPDATE--Does the Patch Development Process Need a Patch?--January 11, 2006

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.




1. In Focus: Does the Patch Development Process Need a Patch?

2. Security News and Features

- Recent Security Vulnerabilities

- Windows Metafile Vulnerability: From Bad to Worse

- Microsoft Releases WMF Vulnerability Patch

- Three More WMF Vulnerabilities Discovered

- CERT's Year-End Vulnerability Summary

3. Security Toolkit

- Security Matters Blog


4. New and Improved

- Centrally Enforce Endpoint Security


==== Sponsor: Klocwork ====


New White Paper from Klocwork: Improve software quality and reduce life-cycle costs by incorporating Static Analysis tools into your routine development processes. Results: More maintainable code, more secure, reliable software and a more predictable development process. Download White Paper:


==== 1. In Focus: Does the Patch Development Process Need a Patch? ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Last Thursday, Microsoft released a patch to correct a problem with Windows Metafile Format (WMF) files. There's been plenty of speculation as to just how bad the problem might actually be on unpatched systems.

Some prominent individuals accused others of exaggerating the risks. I think the real sticking points for those who expressed extreme concern about the dangers were that the vulnerability affects a vast number of systems--nearly every Windows system in use today--and that the vulnerability is very easy to exploit. Fortunately for everyone, the WMF vulnerability isn't something that can be directly exploited via a worm. Exploits must rely on some amount of user interaction or other vulnerabilities to propagate.

One interesting aspect of the ordeal to date is how quickly Microsoft produced a comprehensive patch. The company said that the patch had to be tested on many different systems running various Windows versions in 23 languages. Microsoft also said that the turnaround time of basically two weeks was a company record for the production of a comprehensive (i.e., not temporary) security patch.

In many cases, Microsoft has taken many months to release a patch after a security problem has been reported to the company. It's not unusual for problems to remain unpatched for the better part of a year. If Microsoft could produce the WMF patch so quickly, why can't the company produce all security patches in such an expedited manner?

Some security problems are more difficult to correct than others. In difficult cases, the engineering involved is complex and could require a lot of time. People have pointed out that turnaround time on patches also appears to involve other factors, such as the number of systems affected and the severity of risk as judged by Microsoft.

Some state that they'd rather have a stable patch than a faulty patch. But when the timetable slips beyond what the vulnerability discoverer thinks is reasonable, then he or she might eventually publish the exploit "in the interest of full disclosure." This action forces vendors such as Microsoft to immediately shift priorities to address the problem more quickly, but at the same time alerts intruders to another inroad.

One possible way to shorten security patch turnaround time is for Microsoft and other vendors to publish beta copies of their security patches as they do for other software. One might think that if they make the security patch process open to public beta testers, the turnaround time could be reduced significantly. But releasing a beta security patch is essentially the equivalent of prematurely disclosing the nature of the vulnerability, which most vendors are loathe to do. It would be relatively easy for some people to reverse-engineer the patch to find the problem the patch is intended to correct. That of course could lead to increased risk for innocent people when the patch isn't widely available. It seems clear that public beta testing of security patches isn't such a good idea.

Many people think that vendors should consistently place the highest priority on correcting security problems in their respective products. In some cases, vendors do seem to place a priority on security fixes with reasonable consistency. But in other cases, a vendor's priorities are flexible based on their own perception of any associated risks. As was made clear yet again with the WMF vulnerability, interpretation of the risk level of a given vulnerability often varies among experts. Resolution of such differences of opinion isn't likely.


==== Sponsor: Diskeeper ====

New Diskeeper version 10--just released!

Free download--install and use it FREE for 30-days! With today's bigger drives and larger files, disk fragmentation is a bigger problem than ever. Diskeeper provides automatic network-wide defragmentation for your desktops all the way up to your ultra high-end servers maintaining peak performance and reliability. And now--boost access speeds like never before with new breakthrough disk performance calibration technology--I-FAAST. Core enhancements provide faster, more thorough defragmentation. Diskeeper's enhanced I/O Smart provides intelligent transparent operation ensuring uninterrupted system use. Simply "Set It and Forget It" for every system on your network. See why Diskeeper is the number one automatic defragmenter--download FREE 30-day fully-functional trialware now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Windows Metafile Vulnerability: From Bad to Worse

Some experts say the recently announced Windows Metafile Format (WMF) vulnerability isn't so bad. However, new exploits demonstrate its unfortunate potential.

Microsoft Releases WMF Vulnerability Patch

Acting outside of its regularly scheduled monthly patch release cycle, Microsoft released Security Bulletin MS06-001, "Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)," and a patch to correct vulnerabilities with Windows metafiles. The patch works on Windows 2000 Service Pack 4 (SP4), Windows XP SP1, and Windows Server 2003 SP1.

Three More WMF Vulnerabilities Discovered

On the heels of Microsoft's recent patch for the much-ballyhooed Windows Metafile Format (WMF) vulnerability, three more WMF vulnerabilities were discovered. They are no cause for major alarm, though, because currently they can only be used to cause Denial of Service (DoS) attacks--they don't allow execution of code.

CERT's Year-End Vulnerability Summary

The United States Computer Emergency Response Team (US-CERT) posted its 2005 Year-End Index, which is a summary of bulletins published by US-CERT in 2005. The report includes counts of vulnerabilities that affect Windows, Unix, and Linux and those that affect multiple OSs.


==== Resources and Events ====

SQL Server 2005: Up & Running Roadshows Coming to Europe!

SQL Server experts will present real-world information about administration, development, and business intelligence to help you put SQL Server 2005 into practice and learn how to use its new capabilities. Includes one-year PASS membership and subscription to SQL Server Magazine. Register now for London and Stockholm, Sweden:

Black Hat Federal Briefings and Trainings

January 23-26, 2006, Sheraton Crystal City, Washington, DC. This new show--with 4 Briefings tracks and 11 Training classes--focuses on the problems and issues that governments face in protecting their infrastructure. Content will be oriented toward attack and defense, from rootkit detection to IDS evasion. Stellar speakers include Michael Lynn, Simson Garfinkel, Halvar Flake, and Dan Kaminsky.

Visit for complete updates.

Enabling Secure Collaboration in the Workplace

Join Microsoft and Sybari experts and learn how to help foster collaboration among employees and partners while reducing security risks and enforcing corporate compliance policies.

WEB SEMINAR: Validate your disaster recovery data and learn if your backup and restore data is worth staking your career on.

EBOOK: Learn all you need to know about today's most popular security protocols for secure Web-based communications.


==== Featured White Paper ====

WHITE PAPER: Optimize your existing Windows Server infrastructure with the addition of server and storage consolidation software and techniques.


==== Hot Spot ====

Filtering the Spectrum of Internet Threats: Defending Against Inappropriate Content, Spyware, IM, and P2P at the Perimeter

Because of the proliferation of Web-based threats, you can no longer rely on basic firewalls as your sole network protection. Attackers continue to evolve clever methods for reaching victims, such as sending crafty Web links through Instant Messaging (IM) clients or email, or by simply linking to other Web sites that your employees might surf. This free white paper examines the threats of allowing unwanted or offensive content into your network and describes the technologies and methodologies to combat these types of threats. Get your free copy now!


==== 3. Security Toolkit ====

Security Matters Blog: Second Unofficial WMF Patch Protects Win9x, Me, and NT

by Mark Joseph Edwards,

Microsoft released a patch for the Windows Metafile Format (WMF) vulnerability to protect Windows 2000, Windows XP, and Windows Server 2003. But what about users of previous Windows OSs? Learn about a third-party solution in this blog article on our Web site.


by John Savill,

Q: How can I export and import my private keys from one machine to another?

Find the answer at


==== Announcements ====

(from Windows IT Pro and its partners)

Get Full Online Access to Windows IT Pro

Order a Monthly Online Pass now and get INSTANT access to all articles, tools, and helpful resources published on, including exclusive Web content. You'll have 24/7 access to the Windows IT Pro article database (includes more than 9000 articles) and get the latest digital issue of Windows IT Pro delivered to your inbox. Order now for just $5.95 per month:

Celebrate the New Year with Windows IT Pro

You won't want to miss any of Windows IT Pro's upcoming 2006 issues! Subscribe now and discover the best ways to plan for Longhorn, the need-to-knows of VBScript, ways to make sense of SQL Server 2005, the 10 Security Tools You Can't Live Without, Vista launch essentials, and much more. You'll save $40 off the full cover price and gain exclusive access to the entire Windows IT Pro online article database FREE. Subscribe today:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Centrally Enforce Endpoint Security

Senforce Technologies offers version 3.1 of its Endpoint Security Suite (ESS). ESS centrally enforces an organization's security policies by location for every PC--whether connected to a company-managed network or the Internet. ESS can check PCs anywhere to make sure antivirus software is up-to-date and other policy compliance measures are in effect. ESS also enforces VPN usage and provides Wi-Fi security features such as not allowing use when a wired network connection exists, allowing connection only to pre-approved Wi-Fi Access Points (APs), and ensuring minimum Wi-Fi security standards (such as WEP or WPA) are used. ESS also regulates the use of removable storage devices by location. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected]

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.