The Next Great Worm Is Coming
Opinion: We've all been warned. Perhaps enough of us will apply the updates, but it looks like the next great Internet worm will be based on Microsoft's GDI+ hole.Just when mass-mailer worms are becoming an endemic but utterly preventable problem, a whole new wrinkle is developing. Mass-mailer worms based on the Microsoft GDI+ vulnerability will probably slip through most perimeter e-mail protection facilities. There is a client-side patch for Windows prior to XP Service Pack 2, which itself is not vulnerable, and there is some measure of imperfect protection for third-party programs. The third-party issue is probably not so bad in the short term, but the long term isnt pretty.
But the prospect of HTML e-mailswhich, though they have no explicit attachments, infect the system and run arbitrary code on themis extremely troubling to me. Numerous proof-of-concept exploits are appearing and, while I hear at least some of them do not reliably exploit the hole, its just a matter of time before one comes out that is troublesome enough.