As an example of how, even though people cry wolf too much, nonetheless sometimes, as in the current the Microsoft WMF vulnerability, the wolf really is at the door, or in this case in the image. Unlike many web-related vulnerabilities, this one doesn’t require the user to do anything to take effect, because it’s an image vulnerability. Internet Explorer (IE) just goes ahead and executes the vulnerability when it sees such an image. Recent versions of Firefox at least ask the user before opening the image, but many users will say yes because it’s an image, and people think images are safe.

Microsoft has not provided a fix, even though this problem has been around for a week or more now. SANS is predicting that Microsoft won’t provide any fix for Windows 98, instead if you want to be safe, you’ll have to upgrade.

Meanwhile, an individual has provided a patch that seems to work, and SANS has tested it and approves.

What does it mean when the world’s largest software vendor can’t release a timely patch to one of the worst-ever vulnerabilities in its software?

One thing I think it means is that those of us who have been banging the diversity drum and saying software monoculture and its monopoly are a huge risk weren’t just crying wolf.

I also have to wonder why, if many Windows users are going to have to upgrade suddenly, why don’t many of them upgrade to Macs or Linux, which do not have this vulnerability? Switching from IE to Firefox would also help, although that’s not sufficient, since these images can be embedded elsewhere, such as in Word documents. A more radical solution seems to be required. At the least, companies that are serious about risk management would do well not to run monocultures of Windows servers or clients.

-jsq