Microsoft Enters 2006 with Yet Another Major Security Problem - 03 Jan 2006

For months now, Microsoft executives have touted 2006 as a year of innovation, with an unprecedented number of major product releases. But the new year is starting out on a decidedly low note, as Microsoft struggles to overcome bad news about a security vulnerability that affects every single OS it's shipped in the past 10 years. In what is now a familiar situation, the company is beset by yet another dangerous software vulnerability, and its customers are right in the crosshairs.

Welcome to Microsoft's credibility problem. Late last week, the company was confronted by news that a newly discovered vulnerability in the Windows Metafile Format (WMF) image file format--a vulnerability that affects virtually every 32-bit Windows version ever made, including fully patched Windows Server 2003 and Windows XP systems--was both more serious than previously expected and already being exploited by malicious hackers. The software giant responded by saying that it would fix the problem by January 10, 2006, at the earliest, which is the date of its previously scheduled monthly security patch release for January. There's just one problem: This flaw is so serious that security experts now believe we can't wait that long.

On Sunday, security researchers at the SANS Institute Internet Storm Center warned that Windows users shouldn't wait for Microsoft's patch but instead install a third-party patch that SANS evaluated over the weekend. To find out more about this patch and grab the free download, see the SANS WMF FAQs at the URL below.

I'm not sure I can recommend installing this patch, but consider this fact: You can be exploited by browsing the Web, or even by simply downloading an infected email. It doesn't matter how up-to-date your antivirus solution is, and it doesn't matter which browser you use, although Mozilla Firefox does offer a level of prompting that's not found in Microsoft Internet Explorer (IE).

Scared yet? You should be. And it's just going to get worse, as newer, more dangerous attacks are launched in the week before Microsoft issues a patch. My guess is that this isn't the kind of New Year Microsoft envisioned for Windows.

 
SANS WMF FAQ page.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish