IT Security & Network Security News, eWeek.com (January 4, 2011)
"Microsoft issues an advisory on a Windows security vulnerability after exploit code went public. The bug is not under attack, according to the company.
"Exploit code for a new Windows security bug has gone public, prompting Microsoft today to issue an advisory to warn users.
"So far, no attacks taking advantage of the bug have been seen in the wild, Microsoft reported. The vulnerability lies in the Windows Graphic Rendering Engine and, according to Microsoft, can be used by an attacker to run arbitrary code in the context of the logged-on user.
" 'Today we released Security Advisory 2490606, which addresses a publicly disclosed vulnerability affecting Microsoft Windows Graphics Rendering Engine on Vista, Server 2003, and Windows XP. … The vulnerability does not affect Windows 7 or Windows Server 2008 R2, the newest versions of our operating system,' blogged Angela Gunn, senior marketing communications manager of Trustworthy Computing at Microsoft...."
This isn't good news: but it could be a lot worse. For the bug to be a problem, a user has to go to a website that's been design to exploit the bug - or use a Word or PowerPoint file infected with the right - or, rather, wrong - malicious code.
"...'The real danger this vulnerability poses is that it can be exploited simply by getting a user to view a malicious thumbnail image associated with a number of different document types, including Microsoft Word,' explained Joshua Talbot, security intelligence manager for Symantec Security Response...."
Common Sense, Caution, and Frequent Malware ScansThe Lemming isn't concerned about this issue, personally: Computers in this household use other operating systems.
Still, I intend to re-read the article tomorrow, after a good night's sleep.
The potential threat discussed in eWeek.com's article is one of the reasons that the Lemming's computer is set up to let the Lemming know when there's an update for the operating system. That, scheduled malware scans, and mildly paranoid software to look over the Lemming's shoulder as he explores the Web, have kept this system fairly safe.
Perfectly safe? No. A recent scan de-wormed the Lemming's computer. The trick, in the Lemming's opinion, isn't to have perfect security: but to have routines that deal with threats that show up.
The eWeek.com article says that a patch is in the works - and that meanwhile Microsoft has a workaround for folks whose computers are at risk.
And, of course, the advice that you've heard so often: Be careful how you handle suspicious files; and be really careful about following "untrusted" links.