unofficial patching 4 January, 2006 at 8:10 am
the head of my branch’s it security folks sent out a notice yesterday …
well, background, starting last week when it was discovered, until now, i’ve received a little undre a dozen emails at work about how dangerous the windows wmf flaw/exploit is and if you get infected it’ll be easier to rebuild the box yadda yadda
(incidentally i received more messages about the FCU phishing scam … and all 15 of those arrived in one day …)
yesterday a notice comes around about an unofficial patch on some site … and we’re being told we should install it. now, i presume that it’s been reviewed by people and determined that it’s non-trojan-ey an’ stuff. and i honestly haven’t looked at it.
but … recommending that we install an unofficial patch off the WEB?
come ON! at least commit so far as downloading it and hosting it locally on one of hte security divisions web servers. otherwise you’re just telling everyone that it’s OK to go out and download & install things they find on the web that say they’ll help!
and his reasoning for this when i aked??? b/c most of the users would just continue surfing and get hit by the bug, they’re not SMART ENOUGH to understand how not to get screwed. so we’re telling NOT SMART people to download and install thingsoff the net like they’re going to be able to make the distinction between good patch and bad patch on their own when we can’t trust them to surf websites?????
jesus.
Oh, and there’s a history of unofficial patches interacting poorly with official patches. and the sec guy acknowledged the possibility that everyone who applied this patch may get completely fucked on black tuesday …
and don’t get me started on black tuesday!
They’re unlikely to get fucked – it’s an in-memory patch.
If they’re that worried about the not-smart people, why are they even running as Admins on Windows?