Serious Windows security flaw

Recovered from the Wayback Machine.

Thanks to Ken Camp we’re warned about an extremely serious Windows vulnerability.

The flaw, which allows hackers to insert malicious computer programs into seemingly innocuous image files, was discovered last week.

But the potential for damaging attacks increased dramatically at the weekend after a group of computer hackers published the source code they used to exploit it.

Unlike most attacks, which require victims to download or execute a suspect file, the new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.

There is no official Microsoft patch, and until there is, I’m keeping my Windows 2000 dual boot firmly fixed on Ubuntu. If you’re running XP there is an unofficial patch.

In the meantime, if you’re running an unpatched Windows machine, I would strongly suggest that you not follow any links that appear in my or anyone else’s comments — even if the person writing the comment seems to be someone you know. Anyone can use any name with a comment (even someone else’s name), and I don’t filter links.

All you have to do is open one email, IM, or web page with an infected image — or use something like Google Desktop, which indexes such.

Ad Makers are exploiting this vulernability to infest your machines with spyware.

But before you click that link–you sure you want to do that?

A weblogger named Jesper who says he’s a Senior Security Strategist in the Security Technology Unit at Microsoft wrote unofficially on workarounds et al on this issue.
His view of the unofficial non-Microsoft kissed patch is: don’t use it.

Again, it is risk management. If you have extremely high security requirements, you may want to go so far as using something as drastic as an unofficial patch. However, in that situation you are probably not willing to trust a third-party packaged patch anyway. The unknown risk of issues with an unofficial patch is pretty high. The cost of implementation ranges from low in a very managed environment, to very high in an unmanaged environment. If your risk and the cost of the attack is very high then you may want to consider the unofficial patch, but I cannot in the best conscience recommend it right now.

This after listing a bunch of options that even he admits won’t likely protect a computer, especially with the new malware exploits. He’s speaking privately, though, and not officially so we have to factor that in our interpretation–except we have to assume that since he’s a ’security consultant’ he’s fully aware of the impact of his position on people reading his words.

Some folk would say this is the power of weblogging; this real company people writing to real weblogs saying real things. To that I say, “Bullshit!” This is the weakness of weblogging — no one says anything directly. It’s all a game, and those of us who are forced into the game are stuck trying to figure out the rules before we get swept from the board.

Jesper isn’t condemning the patch because he knows it to be flawed or unworkable, but because it isn’t Microsoft. Pure and simple. And he’s doing so as one of us, which is supposed to what? Increase his credibility?

Well, since Microsoft is the one who put out the code, and has downplayed the vulnerabilities (”We have determined that an attacker would have no way to force users to visit such a malicious Web site”–this from a weblog entry), as well as be less than concerned about putting out a timely fix (”we will release a fix via our regular monthly security release…Have a Happy New Year!”), I have to wonder who exactly it is we are supposed to trust?


Fighting fires

We got our first tornado warnings this morning, before a storm came through that blasted light and sound against my windows. At least we’ve had rain, unlike the folks in Oklahoma and Texas, who are battling some fairly serious plains fires. Too bad these states didn’t get the rain the folks in Northern California received.

Speaking of fires, I appreciate Jeneane passing the Pew Survey torch on to me, but I have little interest in doing more than give a quick cursory glance at the findings. There are others who have written in detail on the report. I would say that the researchers had a hypothesis going in, and then found the data to support it. If they had come out saying “Women prefer purple dots on yellow, while men prefer yellow dots on purple”, they would have found the data to support this, too.

Me, I’m more interested in watching the weather.

Connecting Weblogging


“Obviously, your not from my south because down here we hate gay people and we hate your beliefs about this subject Shelley! Oh and I don’t have sex with my horse and obviously your bible isn’t baptist!”

I laughed when I read this, thinking to myself, “You can’t pay someone to write words such as this!” Of course, at this point I realized that yes you can. This comment is so stereotypical of ’southern Baptists’ that I knew almost immediately it was fake.

A little checking on the commenters for my Brokeback post showed that two at least–Holly and Hoss–are fake commenters, coming from known SPEWS listed IP addresses; arriving via search engine. Though Nate and Machelle don’t come from blacklisted IP addresses, they also came from similar search requests, each with suspicious sounding hotmail addresses. The rest of those who commented either had commented here before or have unique, and valid, email addresses.

Following the search engine trail, I can see the same type of writing used in my comments in comments in other posts, though which ’side’ the commenter is on changes from post to post. I imagine if we did some checking on IP addresses, we’d find that ‘Holly’ commented as ‘James’ or ‘Linda’ elsewhere.

I’m not sure if this flurry of emails is from kids out to have a little fun, or spammers generating ‘controversy’ for a movie in order to increase interest. I do know that next time I want to write on something such as Brokeback, I won’t included the name in my title.

In fact, I’m creating a new category, ‘unclassified’, and adding a robots.txt entry to exclude entries in this category from search engine web bots. There is no value in getting visits from search engines for controversial topics such as these.

In the meantime, I’ve closed down commenting in that post, but left the comments–as a reminder the next time I start to react to a throwaway comment.