Polarman

Ed Bott says that Microsoft did the right thing by under promising and over delivering on the WMF fix.  I agree.  However, I would have liked to have seen more agressive blocking of the WMF exploit other than by the Operating System group at Microsoft.  I think hotmail could have blocked it; MSN messenger, etc.  I was pleased to hear that they had something like 200 people working on the problem.  To coordinate that big of team in a short time is pretty remarkable.

What Microsoft should do about the WMF exploit.

·                 Use automatic update to immediately unregister the shimgvw DLL.  When they’ve fixed the problem, they can turn it back on.

·                 Negotiate to use the current fix of Ilfak Guilfanov’s.  Pay him at least a six digit payment for this.

·                 Immediately patch MSN Messenger to not transmit WMF’s.  This goes double if they are pretending to be a JPEG.

·                 Patch Microsoft Exchange not to send or receive WMF’s. 

·                 Patch Outlook not to send or receive WMF’s.  This should be easy; they already eliminate dangerous items like batch files and executables.

·                 Patch Internet Explorer to not accept WMF’s especially if they are pretending to be a JPEG.  Why do they look inside a file to guess at what it is anyway?

·                 Change hotmail to not transmit or receive WMF’s.

·                 Advertise in all real time media how to react to this.  Set up a special website just for this.

I think Microsoft is acting flatfooted on this very serious exploit.  All of the items I have suggested can be started run in parallel by multiple teams.  I suspect they have one small security team looking at this problem and haven’t really asked every Microsoft team how they can help reduce the risk.  Please, Microsoft, take this problem a lot more seriously!  Scoble has chimed in, maybe that will get some action.