Deploy non Microsoft patch to Enterprise?

G

Grimmda

2[H]4U
Joined
Jul 1, 2003
Messages
3,130
In 10 minutes I have a meeting with the "Patch Management Committee" to discuss the plan for the Microsoft Windows Metafile (WMF) vulnerability. There is an "unoffical" patch that is out that some experts are saying to deploy to enterprise environments and I'm very suprised by this. I work for a bank so I can't image any practice like that is acceptable yet (probably) something should be done in the mean time.

There is a "work-around" to disable the WMF availability by unregistering the dll. I think deploying a package that would disable this DLL for now would be a more acceptable route. Would you all agree? Sorry for that last minute post as I just found out I'm getting pulled into this meeting.

If nothing else this thread will be a good follow up for me on my own time and for the future, as well as being able to post back into after the meeting.

(4,000 user environment XP w SP1/SP2 mixed)
 
YAY well it didn't even get suggested to deploy the non-standard patch. I thought it would have. The offical word was to wait for the MS patch. In the mean time WMF files are blocked at the email side and there's a new pattern file comming from Trend. As for the virus ability to be renamed a file from .wmf into .jpg or something and still deliver the payload of a wmf via the header information we'll cross our fingers on it.
 
As an enterprise you should have an EA aggreement with MS? If you do ask your TAM about the patch. We have had this patch since last year on hand.
 
 
If a bunch of your machines don't even have SP2 I dunno why you're so worried about this one :rolleyes:

I'm testing the patch on a test farm at the moment to see if it's ready for enterprise deployment. Unless there's a showstopper in there it will be going out tonight.
 
I'm just stating if you haven't taken action, and the official patch is due today, I'd wait.

Isn't their normal release ~11:30CST, like 15 minutes away?
 
figgie said:
As an enterprise you should have an EA aggreement with MS? If you do ask your TAM about the patch. We have had this patch since last year on hand.
Click to expand...
Do you have more info on this?
 
Phoenix86 said:
Oi... too long to wait. :(
Click to expand...
Exactly. This thing is a bitch. My testing is going smoothly so I think the only course of action is to deploy it. The patch and uninstaller are slick and easy to deploy.
 
I also work for a bank, and our current status is that we blocked the extensions at the email server, and we're waiting for the MS patch. I haven't mentioned the unofficial one yet.
 
Yeah I know it said "you're crazy to not push this" but we're a bank, we're never cutting edge. Yeah kumquat you're tellin me, about 2,000 still don't even have SP2 hahaha, there's not even a project to push it out at the moment.

Crazy banks...
 
Grimmda said:
Yeah I know it said "you're crazy to not push this" but we're a bank, we're never cutting edge. Yeah kumquat you're tellin me, about 2,000 still don't even have SP2 hahaha, there's not even a project to push it out at the moment.

Crazy banks...
Click to expand...
Hell yeah, someone feels my pain!

<---works for a public Real Estate co., we are <-> close to bankers.
 
My bank isn't pushing it, at least, thats what my boss and I just decided a few seconds ago :). We're blocking *.WMF at the email and Website level, hoping to stop it for a few days. Most websites are blocked anyway through our proxy.
 
Posted on Slashdot:

ZDNet is reporting on the latest dire pronouncements about the WMF vulnerability. The problem is so serious that security experts are urging IT firms to use the unofficial patch. Microsoft's current goal is to release the update on Tuesday." From the ZDNet article: "This is a very unusual situation -- we've never done this before. We trust Ilfak, and we know his patch works. We've confirmed the binary does what the source code said it does. We've installed the patch on 500 F-Secure computers, and have recommended all of our customers do the same. The businesses who have installed the patch have said it's highly successful" It's big enough that even mainstream media is covering the flaw.

http://it.slashdot.org/article.pl?sid=06/01/03/1913252&tid=220&tid=109&tid=172&tid=218

Can anyone report if this article has changed their minds? I may bring this up to my boss again. It seems big enough that it warrants patching.
 
Even if the patch solves this problem. I have concerns on how it will interact with the real deal comes out Jan 10.

10,000 computer leaves no room for a screw up around here. We have decided NOT to patch the workstations at this time. Keep all of you updated see what happens :)
 
We're still at the "don't push the unoffical" and I had a great conversation with our Data Security top manager/engineer and he says "at the moment we look in pretty good shape". For things to get REALLY fouled up once the .wmf is executed it then has to go out to the web and get the "backdoor" type program or "payload". This explioit and no variants THUS FAR can make use of a "user authenticated proxy" which our network uses... so the payload can never get down onto the PC here. If they suddenly saw lots of activity the could shut the door to the outside, deploy the unoffical patch THEN and turn back on the outside world.

For now we're waiting for Microsoft to come through Tuesday.

(DANG I FORGOT I WAS AT 1023 posts, I wasted my 1024'th on the "techno speak" I'm a [H]Gawd now YAY!)
 
You must log in or register to reply here.
Back
Top