There are worse attacks

By Larry Seltzer  |  Posted 2006-01-02 Print this article Print

than this"> Personally, I reserve the level of anxiety Im seeing out there for network worms like Blaster and Sasser, not for threats that, as far as we can tell so far, require user action. It could be that someone will come up with a way to make these exploits work without the user having to open a file or navigate to a Web site, but it hasnt happened yet, and it might not. And in the meantime, mainstream security products are dealing with the problem.

And there are other things that proactive users and administrators can do. Theres Microsofts workaround, which disables the Windows Picture and Fax Viewer program (see Microsofts advisory for details). This is not a fix for the basic problem, but rather it blocks the most prominent vector for exploiting this vulnerability. There are other vectors, such as Microsoft Paint, Lotus Notes and probably many other applications. Still, this solution does have the advantages of being safe, albeit at the loss of some system functionality (your picture viewer and thumbnails in Windows Explorer), and having the explicit endorsement of Microsoft.

But theres a better, although somewhat riskier, solution: A well-known programmer named Ilfak Guilfanov has released a patch he wrote that addresses the core problem by disabling the Windows functionality on which the exploits depend. Guilfanov has tested it on Windows 2000 (SP4), XP 32-bit, XP 64-bit and Windows Server 2003. This patch comes with an uninstaller that I have tested, albeit on a single box, and it works.

The consensus in the security discussions I have read is that the removed Windows functionality is not something that will ever be missed, but that strikes me as an arrogant assumption. Theres an astonishing amount of code written for Windows and, as Guilfanov himself explained in a security discussion this weekend, there are legitimate uses for it. The real solution would be a real patch from Microsoft for the vulnerable code, one that has been tested on all the supported versions, including the international ones.

I hope this next statement is quickly made obsolete, but as I write this we still dont have a patch. Im ready to say that Guilfanovs patch appears safe and effective for mainstream U.S. versions of Windows, but I would have preferred a more comprehensive test.

Yes, we could still have a major outbreak on our hands, but Im reasonably satisfied that the people most likely to be affected are those who leave their PCs unprotected by anti-virus software and credulously open files sent by strangers. Indeed, the most likely way to be attacked through this vulnerability is by viewing an adware-infected Web site that you are most likely to visit when redirected by adware already on your system. Exploiting the already exploited doesnt score you any points in the malware business.

And you do need to be either already exploited or credulous enough to get yourself there to fall for this. Actually, the very fact that you read this column probably makes you too aware of security issues to be attacked successfully.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel