EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
1 edit |  ZDNet: Missing Microsoft patch leaves critical vulnerability
I was intrigued by this Microsoft Technet blog entry, which referenced a patch that was not released for quality reasons. However, the poster did not provide any information on what was missing or what measures users could take until the patch was issued. While it's goodness to remove flawed patches, the vulnerabilty information and workarounds(if any) should not also be removed.
said by blog entry :
You may notice that we removed one of the bulletins that we had mentioned in the “Advanced Notification Service” that we released last week. We did this prior to today’s bulletin release because of a last minute quality issue.
The present version here has omitted all references to it. I guess if they feel if they remove references to the vulnerability, it'll go away.. 
A bit of searching yielded this ZDNet blog article which described the missing patch as one to address a critical vulnerability in Windows Media Player (WMP).
said by blog entry :
Lost in the shuffle of this month’s Patch Tuesday barrage is the fact that a critical vulnerability in the ever-present Windows Media Player (WMP) was not fixed “because of a last minute quality issue.”
Microsoft originally listed the WMP update in the advance notice for August but, when the patches dropped on Tuesday, it had slipped because of patch-quality concerns.
The explanation from Redmond:
* Microsoft has heard from customers that the quality of updates is very important and, as part of the process at the Microsoft Security Response Center (MSRC), Microsoft tests these updates continuously until they are ready for distribution to customers through our regularly scheduled security bulletin release.
This effectively means that millions of Windows users — WMP ships with every version of the desktop operating system — are exposed to a critical, code execution vulnerability that will not be fixed for at least another month.
The ZDNET article goes on to enumerate several other unpatched vulnerabilities.
Since the information on the missing patch was removed in the advisory, we as users only know that there's a critical vulnerability in WMP out there that's still unpatched, and have no workaround or precautions to take beyond simply not using WMP.
Any specific information for affected users, including workarounds, is welcome.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
daveinpoway
Premium
join:2006-07-03
Poway, CA | I suppose Microsoft could release this patch "out-of-cycle", instead of waiting for September's "Patch Tuesday", but I have no clue as to whether they will do this. |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
| reply to EGeezer
said by EGeezer  :Since the information on the missing patch was removed in the advisory, we as users only know that there's a critical vulnerability in WMP out there that's still unpatched, and have no workaround or precautions to take beyond simply not using WMP. Txs for this useful info, i used the info in your post to blog about the issue and adviced accordingly: »smokeys.wordpress.com/2008/08/16···anymore/
--
Smokey's Security Forums »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/
ASAP Site Member »asap.maddoktor2.com |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
1 edit | Thanks for putting out the word - and for the attribution! 
Edit - BTW re: the linked article in your blog - I've seen MPLAYER2 on the system, but never messed with it. Looks like it could do nicely for those who like Windows player but don't want all the crapola the later versions throw in.. |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
| said by EGeezer :Thanks for putting out the word - Spreading the word is part of our job: informing and advising the user. 
and for the attribution!
--
Smokey's Security Forums »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/
ASAP Site Member »asap.maddoktor2.com |
|
SUMware
Premium
join:2002-05-21
| reply to EGeezer
Those wishing to explore a free and excellent replacement for WMP can look at the VideoLAN - VLC media player.
VideoLAN is a software project, which produces free and open source software for video, released under the GNU General Public License.
VLC media player is a highly portable multimedia player for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, ...) as well as DVDs, VCDs, and various streaming protocols.
It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network.
It doesn't need any external codec or program to work.
BTW - it doesn't spy on its users. |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| said by SUMware :Those wishing to explore a free and excellent replacement for WMP can look at the VideoLAN - VLC media player. VideoLAN is a software project, which produces free and open source software for video, released under the GNU General Public License.
VLC media player is a highly portable multimedia player for various audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, ...) as well as DVDs, VCDs, and various streaming protocols.
It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network.
It doesn't need any external codec or program to work.BTW - it doesn't spy on its users. Also, Media Player Classic with K-Lite Codecs: »www.codecguide.com/
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
matunga
join:2003-07-26
4 edits | reply to SUMware
VLC has an unpatched security flaw, the exploit is public:
VLC Media Player Integer Overflow
»secunia.com/advisories/31512/
Description:
g_ has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to compromise a user's system. Successful exploitation may allow execution of arbitrary code.
»www.orange-bat.com/adv/2008/adv.08.16.txt |
|
Cabal
Premium
join:2007-01-21
Boston, MA
4 edits | Edit: Nevermind, not feeding them. |
|
SUMware
Premium
join:2002-05-21
| reply to matunga
Everyone should read this thread:
»critical flaw found in the latest VLC player 0.8.6i
You will see there that matunga has intentionally altered the advisory to suit has agenda, and has lied and falsified information. |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to matunga
Would you provide us with the missing WMP vulnerability information too? We'd like to know what the workaround to that unpatched vulnerability is. I doubt you'll provide that, but it's worth asking anyway.
As of the time of the OP, Microsoft has chosen to remove form public access and hide the vulnerability notice,threat evaluation and workaround from users, so I'll use Media Player Classic simply because it's lower profile and less of a target than WMP.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
| reply to EGeezer
They removed the "patch" because of a last minute quality issue?
As in, it may be a fried patch?
Maybe I'm alone in this, but I would much rather have a patch that works and doesn't break something than have them push one that might be screwed up.
Been there before, no thanks!
How many of y'all have seen a patch screw something up? 
They can keep that patch and FIX IT before I install it and it breaks/loses/kills something.
YMMV
--
Think outside the Fox... Opera |
|
Cabal
Premium
join:2007-01-21
Boston, MA
1 edit | said by dadkins :Maybe I'm alone in this, but I would much rather have a patch that works and doesn't break something than have them push one that might be screwed up. Been there before, no thanks! How many of y'all have seen a patch screw something up? They can keep that patch and FIX IT before I install it and it breaks/loses/kills something. YMMV People aren't asking for a broken patch. People are asking for information on what specifically is vulnerable and how they can protect themselves in the absence of a patch. Microsoft isn't obliging.
--
Interested in open source engine management for your Subaru? |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to dadkins
said by dadkins :... I would much rather have a patch that works and doesn't break something than have them push one that might be screwed up. Been there before, no thanks! How many of y'all have seen a patch screw something up? They can keep that patch and FIX IT before I install it and it breaks/loses/kills something. I agree wholeheartedly. As I said in my OP,
said by EGeezer :While it's goodness to remove flawed patches, the vulnerabilty information and workarounds(if any) should not also be removed. I just don't believe that it's goodness to remove the public notice with overview and status and workaround(if any).
On a positive note, this incident did give us a bit of insight on how Microsoft wants to handle its vulnerability notification to affected users. In this case, if there's no patch or the patch needs rework, remove all useful user information on the warning and leave users in the dark.
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
dadkins
Can you do Blu?
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
1 edit | reply to Cabal
said by Cabal :said by dadkins :Maybe I'm alone in this, but I would much rather have a patch that works and doesn't break something than have them push one that might be screwed up. Been there before, no thanks! How many of y'all have seen a patch screw something up? They can keep that patch and FIX IT before I install it and it breaks/loses/kills something. YMMV People aren't asking for a broken patch. People are asking for information on what specifically is vulnerable and how they can protect themselves in the absence of a patch. Microsoft isn't obliging. Cool!
But, since it appears to be a WMP issue/patch, *I'm* not too worried about it.
What people should be asking is what else is vulnerable and workarounds for them.
Remember the WMF "thing"?
People were peeing themselves over it to the point of applying a patch from a more or less unknown source.
Don't get me wrong, bad is bad.
But as I stated, I would rather wait and get the right one and I'm not going to get worked up over a Media Player problem.
I'll uninstall or kill WMP first!
Does anyone have a screenie or copy of that original report?
Got a number to the KB?
Thanks!
--
Think outside the Fox... Opera |
|
