The WMF saga

Once upon a time, 27th December 2005, a pestilent bug in the graphical rendering engine (gdi32.dll) started to put at risk every Windows box on the planet. And even Linux ones which used to work with WINE emulation package.

To gain momentum the well-known security expert H D Moore developed an early exploit for its well-known (and much appreciated) open source penetration test plaform: Metasploit.
At the same time, to gain momentum, the well-known developer Ilfak Guilfanov, author of its well-known (and much appreciated) binary disassembler, IDA Pro, developed an unofficial patch.
At the same time Microsoft started developing and testing its own official patch which was planned for release 15 days later.

Immediately after the SANS, the well-known (and much appreciated) organization for security awareness, for the first time in its whole story, released a vulnerability FAQ urging people to go and use the unofficial patch.
Immediately after Microsoft released a webcast to deprecate the unofficial patch use, warn of eventual compatibility issues (which arrived) and defend its position adducing testing an official patch against every Windows variant takes a lot of time.
Immediately after, to gain momentum, ESET, the well-known (and much appreciated) organization developing NOD32 antivirus, released a second unofficial patch.
Immediately after Microsoft inadvertently leaked an unofficial pre-release patch, which was adviced as unstable and untested and therefore not worthy for installation.

5 days before the planned date (and 10 days since the vulnerability discovery) Microsoft released the official patch.
At the same time 2 SecuriTeam bloggers, the well-known (and much appreciated) security portal, disassembled the official patch and compared it against the Guilfanov unofficial one, resulting in identical solutions.
At the same time legacy Windows and Linux users discovered they wouldn't be safe at all cause Microsoft released no patch for them.

Immediately after 2 new WMF vulnerability variants were disclosed, affecting just IE 5.0 on Microsoft Windows 2000 Service Pack 4 and IE 5.5 on Windows Millennium.
Immediately after Microsoft minimized impact of these new flaws.
Immediately after, to gain momentum, the well-known (and much appreciated) developer and security expert Steve Gibson claimed original WMF vulnerability to be a Microsoft backdoor to reach worldwide Windows computers.
Immediately after Microsoft security program manager Stephen Toulouse answered the claim denying the imputed intentions.
Immediately after a Linux News member started asking everybody why this happened when Microsoft reports to spend $10-$50 million dollars in security.
Immediately after, to gain momentum, the well-knonw (and much appreciated) content filtering company called Websense reversed the WMF exploit code (also available in PDF for maximum exposure).
Immediately after, without any need to gain momentum, the well-known (and much appreciated) Windows development expert Mark Russinovich claimed Steve Gibson's Microsoft backdoor assumption was totally wrong.
Immediately after Steve Gibson released a second podcast, trying to limit damages, launching a new utility for founding WMF vulnerability.

38 days after the first public announcement of the WMF bug and 29 days after the official Microsoft patch, a Kaspersky Lab senior virus anaylist, revealed the exploit code was being sold by russian hackers on underground sites (I already talked of these kind of places in another post) for $4000, and it's even probably that the vulnerability was first discovered on 1st December 2005.

Quite a month since the two minor WMF vulnerabilities, and after releasing workarounds to avoid 0day attacks, Microsoft releases a patch.

Immediately after, 52 days since the first public annoncement of the WMF bug, the first worm (a mass mailer phishing trojan) hits the Net starting from Australia.


At the end of the story you find in bolded text companies, organizations and individuals who played a role in this fascinating story.
Someone increased visibility (not always in the most ethical way), someone lost credibility, someone else confirmed that sometimes a single, trusted expert's analysis is worth much more than hundreds of official bulletins...

To be continued?