We got our Christmas present - but it’s not all over!
Fraser reported earlier this week about the need for a patch to fix the latest critical IE vulnerability. Fortunately Microsoft have listened to the tide of opinion and put out the appropriate patch to fix this vulnerability. All credit to Microsoft for doing this. They must have worked round the clock to get their QA testing done on all the platforms and languages they support. The question that now needs asking is whether it is all over?
For this particular vulnerability the answer is going to be “Yes”. Microsoft have closed this particular door. However, should we feel any safer? The answer is, unfortunately, “Probably not”. Once my machines were patched at home I initiated a scan with Sophos ESC with every heuristic enabled just in case something had got onto one of the machines. Fortunately both scans came up clear but all I probably achieved was an increased peace of mind.
I could have switched to FireFox for the duration of the knowledge of this vulnerability but in the middle of Microsoft’s problem with IE, Mozilla issued their own patch of security fixes so they have had their own concerns though not with the same actual problem. The truth is that all software is flawed in some way and the bad guys will take advantage of any vulnerability found. The latest threat report from Sophos highlights the increasing use of PDF and Flash formats for malicious purposes.
In this particular case the vulnerability is probably no worse than any other critical IE vulnerability from the past. Unfortunately it caught everyone’s attention, especially the media, and it has just fed itself until Microsoft has closed it. Yes, some high profile sites have been compromised but that actually happens every day for one reason or another.
All I can say is to encourage everyone to practise safe browsing; don’t believe everything you see and don’t click just to see what might happen. Above all make sure those patches are applied as soon as they come out and not just for Microsoft products.
Here is a list of all the Sophos links involved in this story - so far:
- Dec 11: Internet Explorer: zero-day exploit
- Dec 12: More on the Internet Explorer zero-day
- Dec 16: All I want for Christmas is a patch
- Dec 16: Stop viewing porn in Internet Explorer.. for now
- Dec 16: Microsoft to release emergency patch for zero-day flaw
- Dec 17: Defending against that Internet Explorer exploit
- Dec 17: Critical Internet Explorer patch now available from Microsoft
- Dec 19: We got our Christmas present - but it’s not all over!
Filed under: Malware
Windows 7 security - A great leap forward or business as usual?
