Security Community in Dispute over Severity of WMF Flaw

Opinion: Is this really one of those extraordinarily dangerous problems? And why hasn't the sky fallen yet?

Inspired somewhat by the Department of Homeland Security Threat Advisory Level (or was it the other way around?), Symantec maintains a global threat level called ThreatCon, defined as "a measurement of the global threat exposure, delivered as part of Symantec DeepSight Threat Management System."

On Tuesday, Symantec elevated ThreatCon to a level 3 (out of 4) out of concern for the potential threats from the WMF vulnerability in Windows.

For some perspective, this is the first time ThreatCon has been this high since July 2004 for MyDoom.M, when it actually hit the maximum level of 4 (which I think indicates Global Thermonuclear War). Prior to that it had reached 3 in May 2004 for Sasser.

/zimages/6/28571.gifClick here to read more about smart WMF remediation.

Needless to say, ThreatCon at level 3 is not a common occurrence, and I agree its been a while since we had a really serious threat on our hands. Its also fair to say that Symantec is extremely concerned about the WMF vulnerability, in spite of the fact that they havent identified any actual attacks of any importance.

Theres logic to this, since they fear that even if everyone can protect themselves, and even if users with updated anti-virus are protected (a controversial hypothesis, but assume it for the sake of argument), there are still large numbers of systems that are completely unprotected.

Microsoft uses a number that 50 percent of systems out there dont have updated anti-virus protection, and most outside observers think that 50 percent is an optimistic number.

Symantec isnt alone. Perhaps the most influential piece of writing in the gloom and doom school of this particular problem was this diary entry by Tom Liston of the Internet Storm Center. "Ive written more than a few diaries, and Ive often been silly or said funny things, but now, Im being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad."

Actually, now that Microsoft has announced they are releasing the update early I bet Symantec downgrades. But of course, theres also some large percentage of users who dont apply updates, and theyll still be vulnerable. Its not over yet.

Next Page: Not an "elite" threat.