ZDNet: Missing Microsoft patch leaves critical vulnerability in Security http://www.dslreports.com/forum/r20956014 en Fri, 04 Dec 2009 05:04:00 EDT Fri, 04 Dec 2009 05:04:00 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20970218 dadkins :
said by Cabal See Profile :

said by dadkins See Profile :

Maybe I'm alone in this, but I would much rather have a patch that works and doesn't break something than have them push one that might be screwed up.
Been there before, no thanks!
How many of y'all have seen a patch screw something up? :huh:

They can keep that patch and FIX IT before I install it and it breaks/loses/kills something.

YMMV
People aren't asking for a broken patch. People are asking for information on what specifically is vulnerable and how they can protect themselves in the absence of a patch. Microsoft isn't obliging.
Cool!
But, since it appears to be a WMP issue/patch, *I'm* not too worried about it.
What people should be asking is what else is vulnerable and workarounds for them.

Remember the WMF "thing"?
People were peeing themselves over it to the point of applying a patch from a more or less unknown source.

Don't get me wrong, bad is bad.
But as I stated, I would rather wait and get the right one and I'm not going to get worked up over a Media Player problem. ;)
I'll uninstall or kill WMP first!

Does anyone have a screenie or copy of that original report?
Got a number to the KB?

Thanks! :)
--
Think outside the Fox... Opera]]> http://www.dslreports.com/forum/remark,20970218 Mon, 18 Aug 2008 17:34:40 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20968254 EGeezer :
said by dadkins See Profile :

... I would much rather have a patch that works and doesn't break something than have them push one that might be screwed up.
Been there before, no thanks!
How many of y'all have seen a patch screw something up? :huh:

They can keep that patch and FIX IT before I install it and it breaks/loses/kills something.

I agree wholeheartedly. As I said in my OP,
said by EGeezer See Profile :

While it's goodness to remove flawed patches, the vulnerabilty information and workarounds(if any) should not also be removed.
I just don't believe that it's goodness to remove the public notice with overview and status and workaround(if any).

On a positive note, this incident did give us a bit of insight on how Microsoft wants to handle its vulnerability notification to affected users. In this case, if there's no patch or the patch needs rework, remove all useful user information on the warning and leave users in the dark.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis]]> http://www.dslreports.com/forum/remark,20968254 Mon, 18 Aug 2008 11:38:41 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20968186 Cabal :
said by dadkins See Profile :

Maybe I'm alone in this, but I would much rather have a patch that works and doesn't break something than have them push one that might be screwed up.
Been there before, no thanks!
How many of y'all have seen a patch screw something up? :huh:

They can keep that patch and FIX IT before I install it and it breaks/loses/kills something.

YMMV
People aren't asking for a broken patch. People are asking for information on what specifically is vulnerable and how they can protect themselves in the absence of a patch. Microsoft isn't obliging.
--
Interested in open source engine management for your Subaru?]]> http://www.dslreports.com/forum/remark,20968186 Mon, 18 Aug 2008 11:24:13 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20968102 dadkins : They removed the "patch" because of a last minute quality issue?
As in, it may be a fried patch?

Maybe I'm alone in this, but I would much rather have a patch that works and doesn't break something than have them push one that might be screwed up.
Been there before, no thanks!
How many of y'all have seen a patch screw something up? :huh:

They can keep that patch and FIX IT before I install it and it breaks/loses/kills something.

YMMV
--
Think outside the Fox... Opera]]> http://www.dslreports.com/forum/remark,20968102 Mon, 18 Aug 2008 11:09:54 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20968017 EGeezer : Would you provide us with the missing WMP vulnerability information too? We'd like to know what the workaround to that unpatched vulnerability is. I doubt you'll provide that, but it's worth asking anyway.

As of the time of the OP, Microsoft has chosen to remove form public access and hide the vulnerability notice,threat evaluation and workaround from users, so I'll use Media Player Classic simply because it's lower profile and less of a target than WMP.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis]]> http://www.dslreports.com/forum/remark,20968017 Mon, 18 Aug 2008 10:55:22 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20967594 SUMware : Everyone should read this thread:
»critical flaw found in the latest VLC player 0.8.6i
You will see there that matunga has intentionally altered the advisory to suit has agenda, and has lied and falsified information.]]> http://www.dslreports.com/forum/remark,20967594 Mon, 18 Aug 2008 09:29:54 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20967577 Cabal : Edit: Nevermind, not feeding them.]]> http://www.dslreports.com/forum/remark,20967577 Mon, 18 Aug 2008 09:27:07 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20967182 matunga :
said by SUMware See Profile :

Those wishing to explore a free and excellent replacement for WMP can look at the VideoLAN - VLC media player.
VLC has an unpatched security flaw, the exploit is public: :)
VLC Media Player Integer Overflow
»secunia.com/advisories/31512/
Description:
g_ has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to compromise a user's system. Successful exploitation may allow execution of arbitrary code.

»www.orange-bat.com/adv/2008/adv.08.16.txt]]> http://www.dslreports.com/forum/remark,20967182 Mon, 18 Aug 2008 05:40:20 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20966383 antdude :
said by SUMware See Profile :

Those wishing to explore a free and excellent replacement for WMP can look at the VideoLAN - VLC media player.

VideoLAN is a software project, which produces free and open source software for video, released under the GNU General Public License.

VLC media player is a highly portable multimedia player for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, ...) as well as DVDs, VCDs, and various streaming protocols.

It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network.
It doesn't need any external codec or program to work.

BTW - it doesn't spy on its users.
Also, Media Player Classic with K-Lite Codecs: »www.codecguide.com/
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer]]> http://www.dslreports.com/forum/remark,20966383 Sun, 17 Aug 2008 22:54:56 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20960390 SUMware : Those wishing to explore a free and excellent replacement for WMP can look at the VideoLAN - VLC media player.

VideoLAN is a software project, which produces free and open source software for video, released under the GNU General Public License.

VLC media player is a highly portable multimedia player for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, ...) as well as DVDs, VCDs, and various streaming protocols.

It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network.
It doesn't need any external codec or program to work.

BTW - it doesn't spy on its users.]]> http://www.dslreports.com/forum/remark,20960390 Sat, 16 Aug 2008 14:27:25 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20960097 Smokey Bear :
said by EGeezer See Profile :

Thanks for putting out the word -
Spreading the word is part of our job: informing and advising the user. ;)
and for the attribution! :)
All credits to you, after all you was the one that took my attention to the WMP non-patch issue :)
--
Smokey's Security Forums »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/
ASAP Site Member »asap.maddoktor2.com]]> http://www.dslreports.com/forum/remark,20960097 Sat, 16 Aug 2008 13:10:29 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20959819 EGeezer : Thanks for putting out the word - and for the attribution! :)

Edit - BTW re: the linked article in your blog - I've seen MPLAYER2 on the system, but never messed with it. Looks like it could do nicely for those who like Windows player but don't want all the crapola the later versions throw in..]]> http://www.dslreports.com/forum/remark,20959819 Sat, 16 Aug 2008 11:51:38 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20959134 Smokey Bear :
said by EGeezer See Profile :

Since the information on the missing patch was removed in the advisory, we as users only know that there's a critical vulnerability in WMP out there that's still unpatched, and have no workaround or precautions to take beyond simply not using WMP.
Txs for this useful info, i used the info in your post to blog about the issue and adviced accordingly: »smokeys.wordpress.com/2008/08/16···anymore/
--
Smokey's Security Forums »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/
ASAP Site Member »asap.maddoktor2.com]]> http://www.dslreports.com/forum/remark,20959134 Sat, 16 Aug 2008 06:51:10 EDT Re: ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20959045 daveinpoway : I suppose Microsoft could release this patch "out-of-cycle", instead of waiting for September's "Patch Tuesday", but I have no clue as to whether they will do this.]]> http://www.dslreports.com/forum/remark,20959045 Sat, 16 Aug 2008 04:51:28 EDT ZDNet: Missing Microsoft patch leaves critical vulnerability http://www.dslreports.com/forum/remark,20956014 EGeezer : I was intrigued by this Microsoft Technet blog entry, which referenced a patch that was not released for quality reasons. However, the poster did not provide any information on what was missing or what measures users could take until the patch was issued. While it's goodness to remove flawed patches, the vulnerabilty information and workarounds(if any) should not also be removed.

said by blog entry :

You may notice that we removed one of the bulletins that we had mentioned in the “Advanced Notification Service” that we released last week. We did this prior to today’s bulletin release because of a last minute quality issue.
The present version here has omitted all references to it. I guess if they feel if they remove references to the vulnerability, it'll go away.. :D

A bit of searching yielded this ZDNet blog article which described the missing patch as one to address a critical vulnerability in Windows Media Player (WMP).
said by blog entry :

Lost in the shuffle of this month’s Patch Tuesday barrage is the fact that a critical vulnerability in the ever-present Windows Media Player (WMP) was not fixed “because of a last minute quality issue.”

Microsoft originally listed the WMP update in the advance notice for August but, when the patches dropped on Tuesday, it had slipped because of patch-quality concerns.

The explanation from Redmond:

* Microsoft has heard from customers that the quality of updates is very important and, as part of the process at the Microsoft Security Response Center (MSRC), Microsoft tests these updates continuously until they are ready for distribution to customers through our regularly scheduled security bulletin release.

This effectively means that millions of Windows users — WMP ships with every version of the desktop operating system — are exposed to a critical, code execution vulnerability that will not be fixed for at least another month.
The ZDNET article goes on to enumerate several other unpatched vulnerabilities.

Since the information on the missing patch was removed in the advisory, we as users only know that there's a critical vulnerability in WMP out there that's still unpatched, and have no workaround or precautions to take beyond simply not using WMP.

Any specific information for affected users, including workarounds, is welcome.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis]]> http://www.dslreports.com/forum/remark,20956014 Fri, 15 Aug 2008 14:45:57 EDT