Image Angst
by David Shamah The Jerusalem Post, Friday, January 6, 2005
“The latest Service Pack for Windows XP—Service Pack 2 (SP2)—is all about security.” So began the blurb (http://www.microsoft.com/windowsxp/sp2/default.mspx) Microsoft sent out in 2004 urging users to install their latest security innovation. Tired of ever-repeating mini-scandals in which hackers discovered security holes in Windows that could be exploited by viruses, the company developed a “super secure” package for Windows XP that would make it nigh impossible for pimply faced kids to remotely take over your machine for their nefarious slacker purposes.
And it worked, at least for awhile. Microsoft has scrupulously updated SP2, issuing patches on a regular basis. If you use XP SP2 and have Automatic Updates turned on, you don't even notice the patches anymore – Microsoft installs them when you shut down your system.
But that doesn't mean that all is well for XP users these days. There are, of course, the run of the mill viruses that can take over Windows operations, often by installing rogue programs with the same names as legitimate Windows DLLs and applications. This trash is supposed to be barred by your anti-virus software, which you of course need to update on a regular basis. And if you don't install all the Microsoft patches as they are issued, exploits that were designed to take advantage of security holes could still compromise your system.
And once in awhile, something comes up that Microsoft didn't anticipate – leaving you vulnerable until the company comes up with a patch. It's possible that by the time you read this Microsoft will have come up with a patch for the latest security scandal plaguing Windows users, but maybe it won't – which means that your computer will be vulnerable to the “WMF bug” - an exploit that could result in a hacker having total access to your computer, letting them do who-knows-what with it!
WMF stands for Windows Metafile Format, which is a “container” file type for graphics that lets the computer display images like bitmaps and jpegs more quickly. WMF is a “legacy” format that has been with Windows since its '95 incarnation, and as such was never developed with the rigorous attention to on-line security that Windows 2000 and XP were. In other words, all versions of Windows use WMFs – meaning they are all equally vulnerable to the exploit.
And some hacker somewhere has figured out a way to use a flaw in this code to install rogue software; your “prize” might be a keyloggerthat will record whatever you type, like a user name and password, a credit card number, or it might be a “spammer” program that will let them use your system as a drop zone for “Vi a gr *” type messages , etc. How do these rogue programs get installed? Easy – you, the “vic” (I've been watching reruns of Law and Order!), get an e-mail with a sassy message, directing you to click on a Web link, or contains an in-line picture. No attachments or viruses here – just a link, or an image, like the ones in the dozens of messages in your inbox that you plan to check out “when you have time.” However, clicking on this link lets the site download the rogue keylogger when your computer simply displays an infected image on the site! That's right – you don't have to click on anything, if you're using Internet Explorer, Outlook or Outlook Express (not that Firefox, Thunderbird, Opera etc. are all completely immune either).
The IT (information technology) community is up in arms about this one – because if you do work on-line or get e-mail, there's almost no way you can avoid coming up against this problem. There are a couple of things you can do now – specifically, disabling Windows Fax and Picture Viewer (see http://billpstudios.blogspot.com/2005/12/zero-day-wmf-exploit.html).
Someone (more likely lots of people) at Microsoft Central has had some late nights this week, you can be sure of that. And if a patch hasn't been developed yet (I write these columns about a week in advance), sooner or later one will be (http://antivirus.about.com/b/a/230918.htm will have details of when and where to download a patch, if you're not set up with automatic updates). But once again, MS is behind the 8 ball, giving Mac and Linux users more stuff to snigger at (believe me, sniggering at Microsoft is high on the agenda for both crowds).
Wouldn't is be great if you could anticipate these things in advance – or at least be on the cutting edge of security developments, so you can computer in peace without having to worry about what to click on or view? How would you like to have a seasoned staff of volunteers check out your system and keep it up to date with the latest fixes? For free? You'd like that, wouldn't you? Well, check out this space next week for details!
Ds@newzgeek.com