A nasty Windows exploit was uncovered recently that could provide yet another route for viruses and other malware to infect your computer and generally crap in your Cheerios.
This has been brewing for at least a week now, but with all good people being away for the holiday, it either hasn’t gotten as much attention as it has deserved because everyone is wondering how their pants suddently got so small, or it’s gotten too much attention because there hasn’t been much other technews to report while digesting piles of Christmas sweets.
Now that it’s the new year though, more of Microsoft is back from using up some of their 4+ weeks of vacation a year before it expires, and are trying to reassure people who are freaking out about the fact that there still isn’t a patch for this thing. One of the people doing the reassuring is Jesper who describes himself thusly:
“a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figure out how to make it possible to do so.
Jesper has some good tips on mitigating exposure to this exploit here: Jesper’s Blog : Conscientious Risk Managenent and WMF
Unfortunately, he can’t resist the opportunity to trash the people outside of Microsoft who have been working to bring the details of this exploit to light. One example, when explaining how an unofficial non-Microsoft patch against this vulnerability works he says it does so “using basic rootkit technology” (no innuendo in that description, none at all). Elsewhere he complains that the people publically sharing information about this vulnerability “make it possible for even criminals who barely know how to use a computer to exploit this issue.”
So, lets break this down. The people who are sharing the information that Jesper complains about may well be making it easier for criminals to exploit the issue. They are also making it possible for people like the fellow who released the patch to get something out there while half of Microsoft was off skiing at Whistler (or someplace with better snow this year). It would be a lot easier for Microsoft if independent security researchers kept info about this vulnerability under their hats until after the holidays, so you can forgive Jesper for being cranky. (The photo in his blog masthead makes it look like he had to come in early from SCUBA diving in the Virgin Islands to whip out a blog entry for Microsoft’s concerned customers.)
Unfortunately, this vulnerability has been around for years and Microsoft hasn’t done anything about it. Not a suprise really, since they designed it into the OS in the first place. I have some sympathy for Microsoft, its got to be hard to find and patch all the security problems that have been incorporated into Windows over the years. Who was to know back in 1995 that security would be be a big issue in a world where every computer was networked to every other computer? I mean, come on, it was 1995! Microsoft was too busy giving demos to developers about how their new Internet aware dev tools let you do remote SQL queries over the net by sending freetext passwords in e-mail. They were much too distracted with kicking Netscape’s ass and controlling the Internet to worry about unforseen things like network security. And please, who was even thinking about creating restricted exectution environments for untrusted code running in a Java-like virtual machine (besides James Gosling, I mean). And then, you know, as the years wore on, there was a monopoly to exploit before the feds caught up to them.
So, it seems our choice is either to trust Microsoft, again, and hope that some smart little punk out there somewhere doesn’t figure out an exploit of his own before MS gets around to fixing things, or to actually share as much information as possible in order to understand and guard against this problem, with or without MS.