WARNING: Windows users, you are at risk to new security vulnerability - act now
This is extremely important. The media at large has been slow to catch on, but this needs to be spread far and wide, now:
Don't wait - act now. SANS has this for those of you with second thoughts:
A previously unknown flaw in Microsoft Corp.'s Windows operating system is leaving computer users vulnerable to spyware, viruses and other programs that could overtake their machines and has sent the company scrambling to come up with a fix.There is no official patch for this vulnerability yet from Microsoft. F-Secure and the SANS Internet Storm Center recommend that you install this unofficial patch, created by an expert and trusted Windows programmer.
Microsoft said in a statement yesterday that it is investigating the vulnerability and plans to issue a software patch to fix the problem. The company could not say how soon that patch would be available. (MSNBC is a Microsoft - NBC joint venture.)
Mike Reavey, operations manager for Microsoft's Security Response Center, called the flaw "a very serious issue."
[...]
Unlike with previously revealed vulnerabilities, computers can be infected simply by visiting one of the Web sites or viewing an infected image in an e-mail through the preview pane in older versions of Microsoft Outlook, even if users did not click on anything or open any files. Operating system versions ranging from the current Windows XP to Windows 98 are affected.
[...]
Mac and Linux computer users are not at risk with this attack, even if their computers run Microsoft programs such as Office or the Internet Explorer Web browser.
Reavey encouraged users to update their anti-virus software, ensure all Windows security patches are installed, avoid visiting unfamiliar Web sites, and refrain from clicking on links that arrive via e-mail or instant message.
"The problem with this attack is that it is so hard to defend against for the average user," said Johannes Ullrich, chief research officer for the SANS Internet Storm Center in Bethesda.
At first, the vulnerability was exploited by just a few dozen Web sites. Programming code embedded in these pages would install a program that warned victims their machines were infested with spyware, then prompted them to pay $40 to remove the supposed pests.
Since then, however, hundreds of sites have begun using the flaw to install a broad range of malicious software. SANS has received several reports of attackers blasting out spam e-mails containing links that lead to malicious sites exploiting the new flaw, Ullrich said.
Don't wait - act now. SANS has this for those of you with second thoughts:
Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us."Don't wait for Microsoft. Act now to protect your computer.
I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.
We've received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable.
Acceptable or not, folks, you have to trust someone in this situation.
To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it. Now we're going to expend some of that hard-earned trust:
This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch. You need to trust us.
We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.
The word from Redmond isn't encouraging. We've heard nothing to indicate that we're going to see anything from Microsoft before January 9th.
The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
It's time for some real trustworthy computing. All we're asking is if we've proved ourselves to be worthy of your trust.
