Monday, January 02, 2006

Microsoft to users: Yeah, we'll get to it. Don't rush us.


It only makes sense that, since everyone else finds Microsoft's security holes, everyone else might as well fix them as well:

WMF flaw can't wait for Microsoft fix, researchers say
They're recommending the installation of an unofficial patch now

Users of the Windows OS should install an unofficial security patch now without waiting for Microsoft Corp. to make its move, security researchers at The SANS Institute's Internet Storm Center (ISC) advised yesterday.

Their recommendation follows a new wave of attacks on a flaw in the way versions of Windows from 98 through XP handle malicious files in the WMF (Windows Metafile) format. One such attack arrives in an e-mail message entitled "happy new year," bearing a malicious file attachment called "HappyNewYear.jpg" that is really a disguised WMF file, security research companies including iDefense Inc. and F-Secure Corp. said (see "Risk of Windows WMF attacks jumps 'significantly,' security firm warns").

Even though the file is labelled as a JPEG, Windows recognizes the content as a WMF and attempts to execute the code it contains.

And how dangerous is this flaw really?

Microsoft said in an advisory last week that to exploit a WMF vulnerability by e-mail, "customers would have to be persuaded to click on a link within a malicious e-mail or open an attachment that exploited the vulnerability."

Yeah ... clicking on a link or opening an attachment in an unknown e-mail. It's a good thing your average Windows user would never do anything that stupid.

No comments: