Recovered from the Wayback Machine.
Thanks to Ken Camp we’re warned about an extremely serious Windows vulnerability.
The flaw, which allows hackers to insert malicious computer programs into seemingly innocuous image files, was discovered last week.
But the potential for damaging attacks increased dramatically at the weekend after a group of computer hackers published the source code they used to exploit it.
Unlike most attacks, which require victims to download or execute a suspect file, the new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.
There is no official Microsoft patch, and until there is, I’m keeping my Windows 2000 dual boot firmly fixed on Ubuntu. If you’re running XP there is an unofficial patch.
In the meantime, if you’re running an unpatched Windows machine, I would strongly suggest that you not follow any links that appear in my or anyone else’s comments — even if the person writing the comment seems to be someone you know. Anyone can use any name with a comment (even someone else’s name), and I don’t filter links.
All you have to do is open one email, IM, or web page with an infected image — or use something like Google Desktop, which indexes such.
Ad Makers are exploiting this vulernability to infest your machines with spyware.
But before you click that link–you sure you want to do that?
A weblogger named Jesper who says he’s a Senior Security Strategist in the Security Technology Unit at Microsoft wrote unofficially on workarounds et al on this issue.
His view of the unofficial non-Microsoft kissed patch is: don’t use it.
Again, it is risk management. If you have extremely high security requirements, you may want to go so far as using something as drastic as an unofficial patch. However, in that situation you are probably not willing to trust a third-party packaged patch anyway. The unknown risk of issues with an unofficial patch is pretty high. The cost of implementation ranges from low in a very managed environment, to very high in an unmanaged environment. If your risk and the cost of the attack is very high then you may want to consider the unofficial patch, but I cannot in the best conscience recommend it right now.
This after listing a bunch of options that even he admits won’t likely protect a computer, especially with the new malware exploits. He’s speaking privately, though, and not officially so we have to factor that in our interpretation–except we have to assume that since he’s a ’security consultant’ he’s fully aware of the impact of his position on people reading his words.
Some folk would say this is the power of weblogging; this real company people writing to real weblogs saying real things. To that I say, “Bullshit!” This is the weakness of weblogging — no one says anything directly. It’s all a game, and those of us who are forced into the game are stuck trying to figure out the rules before we get swept from the board.
Jesper isn’t condemning the patch because he knows it to be flawed or unworkable, but because it isn’t Microsoft. Pure and simple. And he’s doing so as one of us, which is supposed to what? Increase his credibility?
Well, since Microsoft is the one who put out the code, and has downplayed the vulnerabilities (”We have determined that an attacker would have no way to force users to visit such a malicious Web site”–this from a weblog entry), as well as be less than concerned about putting out a timely fix (”we will release a fix via our regular monthly security release…Have a Happy New Year!”), I have to wonder who exactly it is we are supposed to trust?