Reader Comments

Two words: Big Surprise. Sarcasm definitely intended. I hate that I have to spend 20% of my time in front of my PC fixing Windows, only to learn that there's a vulnerability I can't stop.

Normally I'd just make some smarmy comment and resist the urge to chortle, but honestly...what the hell is going on in Redmond? Do these people realize just how much lost productivity results from vulnerabilities like this? Perhaps it's balanced by the revenue generated from fixing this crap. But after 10 years, if anyone honestly thinks that a new version of Windows is going to fix this kind of endemic problem, they're deluding themselves.

Oh, and I love this quote from SANS: "Note: If you're still running on Win98/ME, this is a watershed moment: we believe (untested) that your system is vulnerable and there will be no patch from MS. Your mitigation options are very limited. You really need to upgrade." Unbelievable. Perhaps I should just throw away my kid's laptop that runs '98, because Micro$oft can't throw a few dollars out there to fix their freakin' swiss-cheese-security-hole software. Honestly, I don't have 600 bucks to replace the laptop with one that can run XP. And people wonder why Microsoft is so hated.

And Apple users everywhere chuckle away and continue typing on their Powerbooks.

Oh yeah, I got it last week. Norton AV and MS AntiSpyware didn't block anything. Heh, it's a good thing that I got a DVD burner for christmas, I was able to backup everything before the big cleanup (which mean format and reinstall).

Some info I had to test to find out: You can unregister the shimgvw.dll as a non-admin, but you can't reregister it unless you're a local admin. This limits that workaround's effectiveness in a logon script.

lotsamystuff, the sooner people get off 98/Me the better. They have NO security in them. Everyone who uses them is an administrator all the time and can do anything on the system. If you care AT ALL about security, move to the NT line.

Security vulnerabilities are an industry-wide issue and if you cannot admit this, get out of the business. The patch has to be vigorously tested before they can release it and if it isn’t, they will be in the good old damned-if-you-do/don’t scenario. There is an old-fashioned work-a-round available and even a homemade patch but you run the risk either way. These types of malicious attacks are exactly what anti-virus is designed to combat. Happy safe bowsing!

PatriotB6007, the NT line obviously isn't that secure either, perhaps you should suggest an alternative operating system to Windows itself instead. Normally I too would be laughing about such news, but being a Windows 98 and XP user for almost the course of eight years it really isn't all that funny. I haven't touched Windows since this early summer, and boy and I glad that this isn't affecting me.

Yea lets put that powerbook comment in the open. Microsoft 10 billion users Apple 1 million. Gee I wonder who I would be Hacking. Lets get to the point apple or mirosoft or linux its software and they ALL have vulnerabilities. Just hackers perfer to get the biggest BANG for thier buck. Microsft is on the front line. So they get it more often.

So Microsoft embeds their software into the system source code of Windows. Hackers look for vulnerabilities in that software, and when they find a hole the hackers have a direct portal to your PC, thanks to Internet Explorer for instance being built into the system. OS X users don't have this problem, because Apple didn't embed their software into the Unix sub-system. Doing so is a stupid idea, because when there is a security breach the effects are more easily critical to one's system. Explain to me again where this has anything to do with popularity? The high level of impact hackers have on Windows is largely due to the accessibility they gain because Microsoft's software is directly a part of the Windows system source code. In addition, it's all the more reason to hack Windows because it will in turn affecct so many users. I believe that's a little more accurate than something like; "well it's because there's more Windows users, duh..." Oh and for the record, research the iMac G5 sales of 2005. They alone sold over a million before the end of September 05' so how did you calculate that there's only one million mac users in the world? Very incorrect, which makes one judge the validity of your comment all-togather. And if the sole explination of attacks on operating systems was a direct response to popularity, all the more reason to own a powerbook right now. You knock those users, but they obviously have some common sense. You might as well have just said you're a moron because you use an operating system which you know gets attacked all the time. You're just too proud to switch to not only a more secure, but more technologically and graphically advanced operating system than the current day version of Windows. Windows users have anti-spyware, anti-virus, adware, and firwalls because Windows is hacked more, while mac users don't even worry about those things. No matter what way you try and explain, it doesn't change the current situation.

Interestingly enough, though, and this is a credit to all of Intel, Microsoft and AMD, you will notice from the report that if you have a CPU capable of DEP [Data Execution Prevention] and you have it enabled in Windows, the exploit is ineffective against your system.

Derek - Regardless of NT's flaws, it is several orders of magnitude more secure than 9x. Also, I can't suggest an alternative operating system to Windows because Judge Jackson said there are no alternatives. Remember?

Yes, all operating systems are insecure to some degree. Yes, all browsers are insecure to some degree. Yes, all systems integrate components into the core operating system. All operating systems work pretty much the same way. They're much more similar than they are different and the vast majority of the OS is under what you see. Was Microsoft too trusting? Yes. Was Microsoft nieve to the problems of connected world with respect to viruses? Yes. I find it interesting that this battle is most often fought by the people who aren't actually doing the coding. Because if you were doing the coding you'ld realize how incredibly hard their jobs are. Billions of lines of code, some of it decades old. Windows has consistently sacrificed security for compatibility. So much software out there is written badly and Windows just trudges on. So much HTML code out there is written badly and IE just trudges on. Windows won developers by making their lives easier. And more software for the platform has meant people buy the platform more often and more people on the platform makes the businesses writing software happier because that many more people are using platform they can make money on. Cycle repeats. Up until recently in computers security hasn't been a major concern for people because frankly viruses spread pretty slowly. And Microsoft prioritized other things and it made them a lot of money. Now, post Melissa, we live in a readily infected world and security is a concern and they will eventually get it right. Why, because they're not idiots. Unix, on the other hand, started in a networked environment and needed to be secure. Unix was built in multiuser land and was connected long before anybody else was and so it was developed with that as a priority, but you notice there aren't that many Unix desktops out there. That doesn't mean it's a bad OS, just bad for a market it didn't concentrate on.

To Orion Adrian: Yes, I agree there. As well, malicious coding used to be more of a prank or of the destructive type whereas in more recent years it is mostly profit driven. The attackers are much better coordinated and much much quicker to respond when an exploit is found out. Most U.S. companies don't have multitudinous criminal and terrorist groups dedicated to their destruction and the harrassment of their customers, Microsoft does. Note, though, that this exploit will not work on more current AMD/Intel/Windows combinations which are DEP capable and have DEP enable - at least that's how I read the report. Now mind you, there are a lot of computers out there without DEP on. But, increasingly, there are. And these exploits which often make use of buffer overrun will not be as effective as they once were the more people replace older CPUs and older versions of Windows with newer DEP capable CPUs and new versions of Windows that enable it.

P.S. to Orion Adrian To quote SANS: "With Windows XP SP2, Microsoft introduced DEP. It protects against a wide range of exploits, by preventing the execution of 'data segements'. However, to work well, it requires hardware support. Some CPUs, like AMD's 64 Bit CPUs, will provide full DEP protection and will prevent the exploit."

"but consider this fact: You can be exploited by browsing the Web, or even by simply downloading an infected email. It doesn't matter how up-to-date your antivirus solution is, and it doesn't matter which browser you use, although Mozilla Firefox does offer a level of prompting that's not found in Microsoft Internet Explorer (IE). Scared yet? You should be...." Wow! I was starting to get pretty scared and freaked out reading Paul's warnings on this latest bug. But then I realized that none of it applies to me since I use a Mac.

To Nim55: Sure, that's the case according to the report. But also unaffected are people using DEP capable Intel and AMD processors with DEP fully enabled in Windows. Sorry to blow the anti-Microsoft bubble, but these buffer overrrun exploits just aren't much going to affect users of Windows on modern computers anymore.

PatriotB6007, Judge Jackson... pretty good :P True as a general statement, NT is more secure than 9x, fair enough. There are more secure solutions to NT as well though, just thought I would have brought that up earlier. Orion, I agree on many certain terms with you. You do appear to understand what coders go through. I personally do not code for operating systems, but that doesn't mean I don't know what they face and how Windows brought apon themselves the destruction they are seeing today. But consider this as well. Apple developer's have made sacrifices to make their operating system easier to use and understand by the general public as well for the past five years with OS X. Not to mention, Apple has also increased their market on a massive scale since the late 90's and just doubled year-over-year sales from 2004 to 2005, this year reaching an all time high in revenue and being noted by analysts as one of the only computer company's who did well in 2005. OS X is far more popular than any previous version of Macintosh operating systems, yet you still don't see security problems increasing all the while like others on here suggest as if it's some rule of thumb which goes along with popularity. In fact, each new version of OS X has been more secure than the previous. Makes sense doesn't it, well it should... Another problem which is overlooked with Windows users many times is how many of them don't protect themselves against threats. Using neccesary measures in protecting yourself is a factor unto itself with security, indipendent of popularity. And absolutely, Unix was developed to be a secure system. In many cases Unix was used solely for the purpose of protecting important documentation by banks and large corporations in the early 90's. It's also the sub-system for coding chose by Apple to be used in OS X. Apple's OS X Tiger is also one of the most secure operating systems in the world today.

To: DerekTraver "many of them don't protect themselves against threats." No kidding. Every dog, man, woman and transgendered out there [almost] has a PC running Windows. I can't imagine some of the stuff that must go on. So yeah, some people are going to be running some pretty crazy boxes. I would think that if Apple were fifty or a hundred times more popular then it would attact malicious coders, schemers and the like. But Windows is were the action is. Needless to say, though, if a person takes reasonable precautions, as they should running any computer on any platform, then they can run relatively securely with Windows. Especially now-a-days with DEP etc. that blocks buffer overrun upon which so many exploits [such as the WMF exploit] depend.

To derecks comments point taken inbedding software into the OS is stupid. And I was was making a trying to make a netural comparison microsft has 90% of the pc market. If apple where equaly on Pc,s and could be open on the hardware side I am sure they would face the same Problems. Just because Macs don't get viruses Does make make them superior. As Apple popularity grows so will thier problems with spyware and hackers.

Well here are some thoughts that have grown in my mind over the past two years before I purchased my first mac this past summer. The overwhelming majority of security breaches in Microsoft's systems has seemingly been in the past several years, the majority. So it's not like Windows has always been in this situation, not even since 2001 for that matter. Thus why I never had a problem running my Windows machines until most recently. But macs have been increasing in numbers more than people take to memory, and I haven't experienced any significant threats at all, without firewalls or anti-virus too. Upgrading to Tiger from Panther actually made my mac more secure than before, as time has progressed it hasn't become less secure with increasing numbers. And to me, it's not just the popularity that counts for making an attack. Would it also not be more less effective if it is in who you are attacking? The operating system scientists prefer in the fields of organic chemistry, life sciences, geology, and microbiology is OS X. The majority of researach institutes and colleges of science use Macintosh for their scientific research. The national reserve as of last year is run on macs. So is Hollywood, even Disney's Pixar uses Macintosh. Are those not excellent targets? Attacks made on macs are a perfect oportunity to dissrupt or slow down at the very least our productive research, and source of entertainment. Attacking home users as a majority at most will force a reformat. Big deal, to an organized group of hackers who want to cause damage to our society I don't see that as being that much of an issue. As been stated above by other people, hackers aren't stupid. Why would they choose not to attack macintosh? Less in number yes, but in many cases where it counts. Full effort into destroying Windows isn't very logical, it's not the only OS used by important people. Perhaps some shared insight?