Carver Country

Saturday, January 21, 2006

you paid for what?

Today you discovered, while perusing your latest bank account statement, that "you" apparently used your bank debit card to pay for some "MSN Hotmail Plus" service. Your suspicion is immediately aroused. You are not a MSN/Hotmail person. You call their customer service department to investigate.

Card fraud.

Labels:

Sunday, January 01, 2006

grasshopper hates (security) bugs (in Windows), episode 1

Bah humbug. You hate other bugs, specifically computer security holes in MS Windows, so prone to malicious exploitation. You still work mostly in the Win32/x86-64 environment, and use IE to surf the web. You neither find fault with Windows' GUI, nor get drawn into heated discussions about M$'s monopoly and its consequences. You do, however, go crazy over Windows' numerous, exploited security vulnerabilities.

The latest is a 'zero-day' exploit that targets a vulnerability in Windows MetaFiles (WMF), when handled by applications such as Windows Explorer, IE, Windows Picture and Fax Viewer, Windows Paint, and Google Desktop. Over 70 variants of the exploit have emerged, and are spreading via webpages, email, and IM, while an official fix has yet to be produced. Larry Seltzer calls this a WMF (Windows Major Foul-Up); Steven J. Vaughn-Nichols takes the opportunity -- and rightly so, in this case -- to advocate Linux. You know this danger is real, because your system was attacked while loading a streaming webcast of Liverpool versus West Brom via IE. Fortunately you had preemptively installed Avast! -- in place of an eTrust-based scanner, because not all antivirus programs are able to detect all variants of the exploit -- and it prevented the infection.

Two -- albeit temporary, in the sense that Microsoft is responsible for the official, hopefully permanent fix -- effective workarounds have now been released by non-MS researchers. The most effective is Ilfak Guilfanov's patch. See Steve Gibson's Security Now! episode#20 notes for download information, and more links to articles detailing this WMF vulnerability. F-Secure's and Sunbelt's blogs track the latest developments.

Let us all practice more secure computing during this new year. Now is a really good time to read up on GNU Linux, install one's choice of distro, and learn to be productive in it. Best wishes.

Labels: ,