I'm reminded of that TV commercial by Fed Ex where the guys were trying to put drama back into shipping business by screaming “Doomed! We are all, Doomed!”. I love to disagree with
Roger, but in certain ways, I have to agree with him on this one. I do think the
handlers at SANS, as well as others, have gone a little overboard on this one. Yes, the
WMF vulnerability is critical, and yes we do need Microsoft to release a patch as quickly as possible, but I see things happening that is only going to cause more trouble. Microsoft does seem to play down the real threat at times, leaving the possibility of a blended threat out of the question, but they also face criticism for every move they make. They do have to make sure adequate quality testing is done for legal issues and to provide their customers with a reliable solution. I understand that the handlers at SANS are passionate about what they do, but the support of a third party patch is a risky business. There are even
others giving advice to download a “Leaked official update”. I see a real potential for malware being distributed via fake patches because advice has been provided by security websites and news articles. I also hear talk of admins that are indeed planning to distribute a third party patch into their organizations. I would hope that they sought approval from executive management and have a copy of the approval in writing. I would hope that they also checked with their legal teams on the matter and determined what legal issues may result should a third party patch break any business critical systems as well as any industry or governmental regulations that they may be governed by. Yes, the risk of this vulnerability is very real. I have to say that if your organization is so desperate to mitigate this risk by installing a third party patch, then you may want to re-evaluate your entire security policy, especially risk management. There is no magic fence or force field around your business, and risk is a constant. Recognizing the risk and building strong contingency plans will help you make it though the challenges that are inevitable. I know that I am usually pointing out vulnerabilities, making sure I help spread awareness on the issues of the day, but there are other security measures that you need in place for the times that your software should fail you. While I am critical of some of the decisions that were made by SANS this week, they did provide some
good information and links today that delve into the plans and measures that I just mentioned. Hopefully, you have good recovery procedures and incident response plans in place, and we will see each other when the DOOM is over.