One should be ever booted and spurred and ready to depart - Montaigne
|
|
|
Microsoft admits to a widespread Windows security flaw
DEVELOPER OF INSECURE SOFTWARE Microsoft has announced the discovery of a serious security vulnerability that allows remote code execution on many of its Windows operating systems.
The vulnerability affects just about every operating system that the Vole has released in the past decade because "Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut." At least the company isn't hiding behind marketing jargon.
Though Microsoft initially said that its advisory contains "workarounds and mitigations for this issue", the solutions aren't for the faint of heart and will have already overworked Windows sysadmins everywhere reaching for the latest LiveCD. Disabling the webclient service seems to be the best way to shut off potential hackers.
Another bit of advice that would be laughable if it wasn't so dumb is to edit the registry to disable shortcut icons. Microsoft warns, "shortcut files and Internet Explorer shortcuts will no longer have an icon displayed," meaning a sparse desktop for all. We think it's the type of 'fix' that Steve Jobs would be proud of.
Removable drives are particularly suspect according to Microsoft, and it suggests that having autoplay disabled is one way to mitigate exposure, though it isn't a fix. On Windows 7, autoplay on removable drives is disabled by default.
The whole security fiasco blew up in Microsoft's face when researchers showed off a proof-of-concept exploit. A special case of the exploit, the Stuxnet rootkit used two digitally signed Realtek drivers to mask its payload. Microsoft has since been working with Verisign, which has revoked the certificate used to sign the drivers, something that Realtek also supported.
There's no patch for the security hole yet, though the Vole is conducting an investigation and will "take the appropriate action" once it has done that.
In the meantime, it's probably best to view files on USB drives on a machine that's running Linux. µ
Tags: Microsoft
Share this:
Share
selling shoddy disfunctional merchandise eh?
i dont suppose MS will be refunding monies to the sad mugs who paid for it though!...
its extortion and criminal
I'm afraid your ignorance about this is a rather overwhelming. There have already been targeted attacks and SANS have raised their Infocon level to yellow on this.
http://isc.sans.edu/diary.html?storyid=9190
This has nothing to do with putting icons onto desktops. Merely browsing a USB stick, CD or (potentially worst of all) remote shares with explorer can trigger this exploit as far as I can see.
As for your comments on Linux - they seem even less well informed.
@ Bubba: The last line of the article should be corrected to say: "It's probably best to use a machine that's running an OS used by the minority of users."
Ever fish? If so, you'd know you DON'T tell everyone where your best fishing hole is; surfers don't tell the tourists where the best waves are.
Please stop telling th esheeple to use Linux, or it will grow in popularity and then we will all get hacked to hell.
Linux? Seriously? Anyone who can suggest linux as a primary desktop environment needs something better to do with their time than penguin snowboarding. The real reason Linux has no exploits is nothing of value runs on it. What would they steal? Your anime collection?
Researchers showed off a "proof of concept" exploit. You know what that means? Theoretically it might be possible, but in reality it's probably never happened and will likely be fixed before it does.
The truth here is people should be smart enough not to run applications that put malicious icons on their desktop in the first place. I know it's harder to secure your system properly than it is to install Linux, but I'd much rather have all my software run native than through some bugged up emulation system.
Shortcut-based viruses are spreading for ages. I guess virus writers even see them as old-fashioned nowadays.
Linux, with all its stupid flaws, lack of games, no proper office apps, and hours of googling and micromanaging, is still worth the trouble (and free).
Say goodbye to your icons. Heh, heh. -- Oh, I guess this one is relatively easy to fix, but it's *so* characteristically M$ that a basic desktop item has severe flaw.
(2nd attempt.)
Say goodbye to your icons. Heh, heh. -- Oh, I guess this one is relatively easy to fix, but it's *so* characteristically M$ that a basic desktop item has severe flaw.
"In the meantime, it's probably best to view files on USB drives on a machine that's running Linux."
With plenty of live cds around it could be a good idea.
The last line of the article should be corrected to say: "It's probably best to use a machine that's running Linux."
Does it seem odd the safer operating is free?