Friday, March 30, 2007
Worst-case Windows vulnerability
Once again, there's a Windows bug that allows bad guys to take over your computer if you just visit the wrong web page or open the wrong email.
The bad guys found the problem first and they're using it right now.
The problem is in the handling of animated cursors, the files that turn your mouse pointer into a moving cartoon. If you supervise programmers, remember this the next time you ask them to put in a low-priority feature. That feature is probably not worth the risk. This one sure wasn't.
You avoid this issue using exactly the same steps I've been recommending all along. Read your email as plain text, not formatted like a web page. Don't use Internet Explorer: Firefox isn't vulnerable to this bug. Minimize the time you spend in sleazy web sites, though even an honest one might have been taken over by an intruder.
Microsoft's security efforts have been paying off. The very latest Internet Explorer version, if it's running under Vista, and using a few feature called "protected mode", is also safe.
UPDATE 4/1:
There's an unofficial patch for the animated cursor problem from security firm eEye. I don't know whether to recommend it. The downside is that the only way to beat Microsoft to the punch on something they care about is to do less testing. On the other hand you may not be able to afford to wait for the Microsoft solution (next Patchday is April 10).
Continue to beware of email: simply previewing a toxic email can infect you if you have HTML email turned on.
UPDATE 4/2:
Microsoft is supposed to release a patch tomorrow, Tuesday, a week before the regularly scheduled Patchday. Run Windows Update if you don't have automatic updates turned on. Remember, Microsoft only does this for a small fraction of the most serious security bugs. If they take it this gravely you should too. The unofficial patch is designed to uninstall itself in favor of the real patch -- that's a risk you'll have to size up for yourself.
|
The bad guys found the problem first and they're using it right now.
The problem is in the handling of animated cursors, the files that turn your mouse pointer into a moving cartoon. If you supervise programmers, remember this the next time you ask them to put in a low-priority feature. That feature is probably not worth the risk. This one sure wasn't.
You avoid this issue using exactly the same steps I've been recommending all along. Read your email as plain text, not formatted like a web page. Don't use Internet Explorer: Firefox isn't vulnerable to this bug. Minimize the time you spend in sleazy web sites, though even an honest one might have been taken over by an intruder.
Microsoft's security efforts have been paying off. The very latest Internet Explorer version, if it's running under Vista, and using a few feature called "protected mode", is also safe.
UPDATE 4/1:
There's an unofficial patch for the animated cursor problem from security firm eEye. I don't know whether to recommend it. The downside is that the only way to beat Microsoft to the punch on something they care about is to do less testing. On the other hand you may not be able to afford to wait for the Microsoft solution (next Patchday is April 10).
Continue to beware of email: simply previewing a toxic email can infect you if you have HTML email turned on.
UPDATE 4/2:
Microsoft is supposed to release a patch tomorrow, Tuesday, a week before the regularly scheduled Patchday. Run Windows Update if you don't have automatic updates turned on. Remember, Microsoft only does this for a small fraction of the most serious security bugs. If they take it this gravely you should too. The unofficial patch is designed to uninstall itself in favor of the real patch -- that's a risk you'll have to size up for yourself.
# posted by Frederick @ 8:18 AM Email to a friend:
Haloscan: they provide trackback