Offering frequent news and analysis from the majestic Evergreen State and beyond, The Cascadia Advocate is the Northwest Progressive Institute's unconventional perspective on world, national, and local politics.

Wednesday, January 04, 2006

Microsoft downplaying WMF vulnerability

A must read article from the Washington Post this morning:
Security experts yesterday criticized Microsoft Corp. for waiting until next week to address a recently revealed flaw in the Windows operating system that they say is unusually dangerous.

The experts took the unusual step of urging users to install a patch created by a private developer, saying Microsoft is downplaying the severity of the security hole.

The flaw, revealed last week, allows hackers to break into computers running versions of Windows software -- from Windows 98 through the most recent Windows XP. The flaw allows computers to be infected with spyware or viruses by visiting a Web site or opening on an image or link in an e-mail or instant message.
We agree. Windows users should install the unofficial patch (instructions for protecting your computer are here). More from the Washington Post:
Thomas F. Liston, an incident handler with the SANS Internet Storm Center in Bethesda, said Microsoft was downplaying the threat from the flaw.

"They're just keeping their fingers crossed that this doesn't blow up in a big way until the 10th," Liston said.

Another computer-security firm, Symantec Corp., said Microsoft's decision to delay the patch for another week presents attackers with a "seven-day window that attackers could exploit this issue in a potentially widespread and serious fashion." The Cupertino, Calif., company raised its threat alert to the highest level in 16 months.

Liston said hundreds of Web sites are exploiting the flaw. Malicious hackers expanded into instant messages on New Year's Eve to take advantage of the vulnerability, he said.

In an advisory posted on its Web site earlier this week, SANS urged Windows users to download and install the unofficial patch. SANS and other security experts checked the patch to ensure that it fixes the security flaw without compromising other programs or creating other problems for the users, Liston said.
The patch is safe. Again, NPI urges you to follow the above link and take the necessary steps to protect your machine. A final excerpt from the Post article:

Until Microsoft releases its patch, customers should practice "safe computing habits," such as updating anti-virus software and avoiding unfamiliar Web sites, [a Microsoft spokeswoman] said. However, it's unclear whether safe computing is enough because the exploit it altered every time it infects a new machine, making it tougher for anti-virus software to detect it.

F-Secure Corp., the Finnish anti-virus company that first spotted the exploit on the Internet on Dec. 27, also vouched for the safety of the unofficial patch and advised customers to use it.
The world's top security experts advise you not to wait for Microsoft. We concur. (Microsoft, by the way, has in fact completed their fix - they are now testing it, but refuse to release it until next week).

Windows users who are serious about computer security should install the unofficial patch and not leave their systems unprotected. It's too bad Microsoft is downplaying the WMF vulnerability, because it means more users are going to leave their computers unprotected until the "official" patch is released. You don't have to be one of them. Protect your OS now.

<< Home