IT-DISCUSS Archives

January 2006

IT-DISCUSS@LIST.UVM.EDU

Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
Don Tripp <[log in to unmask]>
Reply To:
Technology Discussion at UVM <[log in to unmask]>
Date:
Fri, 6 Jan 2006 14:06:47 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (98 lines)
Granted we don't support all versions of Windows anymore, but we should
clarify that the Microsoft security update does not fix the WMF
vulnerability in 98, 98SE or ME. Microsoft does not regard the
exploitability of these systems as critical because they have not
identified an attack vector that would compromise them.

 From the bulletin FAQ:

http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

> Although Windows 98, Windows 98 Second Edition, and Windows
> Millennium Edition do contain the affected component, the
> vulnerability is not critical because an exploitable attack vector
> has not been identified that would yield a Critical severity rating
> for these versions.

FWIW,
-Don



Stefanie Ploof wrote:

> Hello everyone,
> 
> By the end of the business day today CIT intends to send a broadcast
>  message to UVM faculty, staff, and students about the WMF
> vulnerability, including the announcement that a Microsoft patch is
> available for immediate download.  Please see wording below and make
> any comments to the wording or to the extended information web page 
> (http://www.uvm.edu/cit/wmf-hole).  Please send all comments to the
> list so that all of us involved with the wording will see your
> responses.
> 
> Thank you!
> 
> Stefanie
> 
> 
> Begin forwarded message:
> 
>> Critical Patch for Microsoft Windows
>> 
>> David Todd, CIO, for the CIT staff
>> 
>> January 5, 2006
>> 
>> 
>> 
>> 
>> 
>> On December 27, 2005, Microsoft acknowledged 
>> <http://www.microsoft.com/technet/security/advisory/912840.mspx>
>> that reports of a vulnerability in the Windows operating system had
>> become public knowledge and might result in Windows PCs becoming
>> compromised for malicious purposes.  This web page provides members
>> of the UVM community with a brief description of the vulnerability
>> and with information on how to correct the problem.*  _All versions
>> of Windows are affected._*  Microsoft rates this as a critical
>> security issue. If you use a Windows workstation, please read this
>> and install the Microsoft patch or seek assistance (CIT Help Line,
>> 656-2604) to have it installed.
>> 
>> 
>> 
>> Briefly, a flaw in the Windows graphics rendering engine (“WMF
>> vulnerability”) appears to have been present since the original 
>> creation of that program. The program is invoked when your web 
>> browser, email program, or other application program needs to
>> display what it thinks is a graphics file.  The vulnerability would
>> permit an appropriately-constructed file to expose a Windows
>> workstation to remote access and control.  Such access would permit
>> others with malicious intent to, for example, harvest passwords
>> that you use to access central information databases, grant access
>> to all of your files, or permit your workstation to be used for
>> spamming or harassing others.
>> 
>> 
>> 
>> The flaw’s existence become public knowledge only a week ago, but
>> the its potential impact is so significant that it gained
>> significant public press (VPR/NPR on Friday, 30 December, for
>> example) and technical discussion 
>> <http://www.computerworld.com/securitytopics/security/holes/story/0,10801,107420,00.html>.
>> 
>> 
>> 
> 
> 

-- 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Donald Tripp, Security Specialist
University of Vermont, Project CATalyst
[log in to unmask], (802)656-4104
aim: uvm ais don, jabber: dtripp

ATOM RSS1 RSS2