Recent reports of users being hit by versions of the Fortnight
JavaScript worm underline that many computers are still not being
reliably patched against critical security vulnerabilities.
Astonishingly, the worm exploits a vulnerability that Microsoft
first issued a patch against almost three years ago.
The recent reports of the JS/Fortnight-D and
JS/Fortnight-F
worms underline a serious security problem say Sophos experts.
The Fortnight JavaScript worm exploits a vulnerability in
Microsoft VM ActiveX which makes it possible for malicious code to
execute just by reading an message in an HTML aware email client.
In other words, unlike many other viruses that travel via email,
the user does not have to open an attached file to activate the
virus.
However, Microsoft first issued protection against this
vulnerability in October 2000 in Microsoft Security Bulletin
MS00-075.
"Most businesses today recognise that good, up-to-date
anti-virus software is an essential part of the defence against
malware threats," said Graham Cluley, senior technology consultant
for Sophos Anti-Virus. "However, it is not the complete solution.
Additional steps such as ensuring your systems are up-to-date with
the latest security patches are also important."
Sophos recommends that customers monitor announcements from
operating system, application and web server software vendors for
details of new vulnerabilities found in their code. Many viruses
have exploited loopholes in commonly used web browsers and email
software to increase their chances of spreading effectively.
Astonishingly even when security vulnerabilities are discovered,
patched and publicised before they are exploited many people will
not have applied the fix.
Loopholes are found in products on a weekly basis, some
significant, some trivial. IT managers should keep abreast of these
loopholes and apply patches where appropriate before new viruses
come along to exploit them. Every IT manager responsible for
security should consider subscribing to vulnerability mailing lists
such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx.
Other vendors offer similar services.
"Home users might consider checking out the services Microsoft
offers at windowsupdate.microsoft.com, which can scan
your home PC for security vulnerabilities and suggest which
critical patches need to be installed," continued Cluley.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.