W
Wilbur Post
Does this mean we shouldn't copy or dl image files from newsgroups or
copy jpgs from the net, or save web pages in html or mht format?
Will the MS patch cover it all?
http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html
Windows PCs face ‘huge’ virus threat
By Kevin Allison in San Francisco
Published: January 2 2006 18:18 | Last updated: January 3 2006 12:01
Computer security experts were grappling with the threat of a new
weakness in Microsoft’s Windows operating system that could put hundreds
of millions of PCs at risk of infection by spyware or viruses.
The news marks the latest security setback for Microsoft, the world’s
biggest software company, whose Windows operating system is a favourite
target for hackers.
“The potential [security threat] is huge,” said Mikko Hyppönen, chief
research officer at F-Secure, an antivirus company. “It’s probably bigger
than for any other vulnerability we’ve seen. Any version of Windows is
vulnerable right now.”
The flaw, which allows hackers to infect computers using programs
maliciously inserted into seemingly innocuous image files, was first
discovered last week. But the potential for damaging attacks increased
dramatically at the weekend after a group of computer hackers published
the source code they used to exploit it. Unlike most attacks, which
require victims to download or execute a suspect file, the new
vulnerability makes it possible for users to infect their computers with
spyware or a virus simply by viewing a web page, e-mail or instant
message that contains a contaminated image.
“We haven’t seen anything that bad yet, but multiple individuals and
groups are exploiting this vulnerability,” Mr Hyppönen said. He said that
every Windows system shipped since 1990 contained the flaw.
Microsoft said in a security bulletin on its website that it was aware
that the vulnerability was being actively exploited. However an official
patch to correct the flaw was not expected to be released until January
10.
In the meantime, Microsoft said it was urging customers to be careful
opening e-mail or following web links from untrusted sources, and
provided instructions for a “workaround” that would reduce the likelihood
of attacks.
Meanwhile, some security experts were urging system administrators to
take the unusual step of installing an unofficial patch created at the
weekend by Ilfak Guilfanov, a Russian computer programmer.
Concerns remain that without an official patch, many corporate
information technology systems could remain vulnerable as employees
trickle back to work after the holiday weekend.
“We’ve received many e-mails from people saying that no one in a
corporate environment will find using an unofficial patch acceptable,”
wrote Tom Liston, a researcher at the Internet Storm Center, an antivirus
research group. Both ISC and F-Secure have endorsed the unofficial fix.
In its security bulletin, Microsoft made a general recommendation against
unofficial patches, saying it was “best practice to utilise security
updates for software vulnerabilities from the original vendor of the
software”.
Microsoft routinely identifies or receives reports of security weaknesses
but most such vulnerabilities are limited to a particular version of the
Windows operating system or other piece of Microsoft software. In recent
weeks, the company has been touting its progress in combating security
threats.
The company could not be reached on Monday for comment
copy jpgs from the net, or save web pages in html or mht format?
Will the MS patch cover it all?
http://news.ft.com/cms/s/0d644d5e-7bb3-11da-ab8e-0000779e2340.html
Windows PCs face ‘huge’ virus threat
By Kevin Allison in San Francisco
Published: January 2 2006 18:18 | Last updated: January 3 2006 12:01
Computer security experts were grappling with the threat of a new
weakness in Microsoft’s Windows operating system that could put hundreds
of millions of PCs at risk of infection by spyware or viruses.
The news marks the latest security setback for Microsoft, the world’s
biggest software company, whose Windows operating system is a favourite
target for hackers.
“The potential [security threat] is huge,” said Mikko Hyppönen, chief
research officer at F-Secure, an antivirus company. “It’s probably bigger
than for any other vulnerability we’ve seen. Any version of Windows is
vulnerable right now.”
The flaw, which allows hackers to infect computers using programs
maliciously inserted into seemingly innocuous image files, was first
discovered last week. But the potential for damaging attacks increased
dramatically at the weekend after a group of computer hackers published
the source code they used to exploit it. Unlike most attacks, which
require victims to download or execute a suspect file, the new
vulnerability makes it possible for users to infect their computers with
spyware or a virus simply by viewing a web page, e-mail or instant
message that contains a contaminated image.
“We haven’t seen anything that bad yet, but multiple individuals and
groups are exploiting this vulnerability,” Mr Hyppönen said. He said that
every Windows system shipped since 1990 contained the flaw.
Microsoft said in a security bulletin on its website that it was aware
that the vulnerability was being actively exploited. However an official
patch to correct the flaw was not expected to be released until January
10.
In the meantime, Microsoft said it was urging customers to be careful
opening e-mail or following web links from untrusted sources, and
provided instructions for a “workaround” that would reduce the likelihood
of attacks.
Meanwhile, some security experts were urging system administrators to
take the unusual step of installing an unofficial patch created at the
weekend by Ilfak Guilfanov, a Russian computer programmer.
Concerns remain that without an official patch, many corporate
information technology systems could remain vulnerable as employees
trickle back to work after the holiday weekend.
“We’ve received many e-mails from people saying that no one in a
corporate environment will find using an unofficial patch acceptable,”
wrote Tom Liston, a researcher at the Internet Storm Center, an antivirus
research group. Both ISC and F-Secure have endorsed the unofficial fix.
In its security bulletin, Microsoft made a general recommendation against
unofficial patches, saying it was “best practice to utilise security
updates for software vulnerabilities from the original vendor of the
software”.
Microsoft routinely identifies or receives reports of security weaknesses
but most such vulnerabilities are limited to a particular version of the
Windows operating system or other piece of Microsoft software. In recent
weeks, the company has been touting its progress in combating security
threats.
The company could not be reached on Monday for comment
