I don’t like Microsoft, everyone knows that, but I don’t needlessly bash them if people using Windows are comfortable with it, but here’s just another reason to reconsider options. ”Microsoft acknowledged late Wednesday the existence of a zero-day exploit for Windows Metafile images, and said it was looking into ways to better protect its customers. Even worse, by the end of the day nearly 50 variants of the exploit had already appeared. One security company said the possibilities were endless on how the flaw could be exploited. ‘This vulnerability can be used to install any type of malicious code, not just Trojans and spyware, but also worms, bots or viruses that can cause irreparable damage to computers,’ said Luis Corrons of Panda Software. […] Attempting to allay fears, Microsoft said there would be no way for an attacker to force a user to visit a malicious Web site. However, Sunbelt vice president of Research and Development Eric Sites said there were ways to easily get around that issue. “For example, take the latest craze of posting spam in blog talkbacks,” Sites said. “How would you like to be reading your favorite blog, click the talkback link and get infected so badly your only option is to reinstall your operating system.” A zero-day exploit is one that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known; so it’s out there, and there is no fix for it. It just shows the lack of security when ONE OS is so dominant. What should I tell my relatives that are running XP at home (that I tweaked with Firefox, ClamAV and the like, but still…) if they should keep surfing the web? Funny timing since I was just having a discussion with a friend about why images shouldn’t be allowed in instant messaging since they can cause havok…now it’s just on web pages? Hmm…really kids, there are viable alternatives that will allow more layers of protection. Security through obscurity, not to mention a better set of security ideals and acls that have been thought out over 30 years…but I digress.
UPDATE: more fun news, it’s gotten worse with a version now being transfered via IM, no patch from Microsoft at least until January 9th, and the only fix is ‘unofficial’ (though likely at least as trustworthy as MS) which we know corpy-corps aren’t going to go for. Lastly, watch it in action, see how it infects, then installs a spyware removal program that refuses to remove anything until you pony up 39.95$US!