Our Blog

Our Blog

DNSChanger Problems Not Over

Computer Security Baltimore, IT Tips Baltimore

For the past several years, one of the worst malware problems that we’ve seen has been what’s been called DNSChanger. It’s not because it’s particularly difficult to remove, although it isn’t easy. Rather, it’s because of how it compromises a user’s Internet security.

To understand what it does, we need a brief explanation of DNS. DNS stands for Domain Naming System, and it’s essentially the Internet’s phonebook. Your computer doesn’t really know what www.yahoo.com is. It might know it as  98.139.180.149. But you aren’t going to remember that. So instead, when you enter that into your browser, your computer asks the DNS system to give it the correct number, aka the IP Address. And how does it know? Well, it asks. It asks its upline, which then might ask its upline, etc. until it finds a DNS server that knows the correct address. Then the answer gets cascaded down to your machine, which then knows where to go.

But what would happen if your DNS server lied to you? What would happen if you asked for www.yahoo.com, and it came back with 173.201.243.1? Your browser address bar would still show you http://www.yahoo.com, but the actual website wouldn’t be Yahoo’s. But what if the webserver at that address was mocked up to look like Yahoo’s site? Well, now we have some real trouble, because you, as the user, would never know that you were entering your Yahoo username and password into a site that wasn’t Yahoo, and you’d be giving the owner of that fake-site your real Yahoo username and password.

And what would happen if it wasn’t Yahoo they hijacked, but Wells Fargo, Bank of America, PayPal, etc…? See the problem?

That’s what DNSChanger does… or did. Once installed on your system (and it infects both Windows and MacOS), it changes your DNS servers to ones that lie. They send you to custom-crafted websites made to look like other real sites, in order to steal your account information.

Now the good news is that the FBI and several foreign governments stopped it! Operation Ghost Click resulted in a number of arrests, and best of all, they got the fake DNS servers. And then they did a smart thing: They decided to fix those fake DNS servers, and make them real DNS servers, so that all the machines infected with it would just start working properly. Users need never know that their machines were infected, because the infection amounted to nothing.

But alas, bureaucracies can never leave a good thing alone. The German Federal Office for Information Security has decided that, on March 8, 2012, those fake-now-good DNS servers will be taken down. So now, and this is the reason I’m posting this, on March 8, many people will suddenly find themselves unable to use the Internet. If this happens to you, your machine is probably infected.

If that happens to you, you can call your local IT service company, or try to remove it yourself. Here are some links to get you started.

SOPA-box Letter

IT industry, Politics

Those of you who have been following my Facebook and Twitter posts, should know that I am very much against the new proposed Stop Online Piracy Act (SOPA) legislation.

So I wrote to my Congressman, John Sarbanes. This is what I wrote:

Congressman Sarbanes,

I was distressed to hear that you are a supporter of the Stop Online Piracy Act (SOPA – HR 3261), and would like to ask you to consider changing your mind.

My assumption is that the members of Congress who are supportive of this terrible piece of legislation either don’t really understand it, or are in the pocket of the Entertainment and/or Pharmaceutical industries. And they already have the DMCA and other laws to protect their interests.

But please allow me a minute to explain some of the wrongs that SOPA will cause:

SOPA has several “layers” around it. But all of them wind up by providing draconian measures against US companies, with nothing more than an allegation of wrongdoing. These measures can be put into play before the alleged wrong-doer is even informed that there is a problem. Can you imagine what damage would be done to a small business, like mine, if one day I came to work and discovered that:
– My website was down.
– My company’s web-presence were suddenly deleted from all Internet search engines.
– Payment sites, like Paypal, would suddenly no longer provide payment services for me.

And why? Because someone CLAIMED that I violated a copyright. Even if the allegation was limited to one small thing, which could easily have been removed and/or corrected if needed and asked, SOPA gives the courts the power to destroy my business.

Imagine the misuse to which this legislation could be put!

Even software companies like Google, Facebook, Twitter & Zynga, are opposed to it, with Google actually scheduled to testify against it during the congressional discussion. Even Microsoft, which makes the majority of its money licensing software, and has backed other IP legislation efforts in the past, has come out against it!

Congressman Sarbanes, we live in an increasingly litigious world, frankly, much to our detriment. HR 3261 will only compound it, making it that much easier for the “big guys” to stomp all over us “little guys”. Is that REALLY what you want to support?

Please rethink your position and stand with the rest of us; the folks not in Big Entertainment and Pharma.

Thank you!

Since I wrote him that letter, the vote has already taken place in the House, and the Senate version of the bill seems likely to pass. “Congressman Sarbanes” wrote back to me, as follows:

Dear Mr. Spigelman:

Thank you for contacting me regarding the prospective legislation to curb online theft of intellectual property. I appreciate hearing from you about this important issue.

Online commerce should not be a mechanism for abusive business practices, violations of individual privacy rights or copyright infringement. Intellectual property and privacy laws should apply to all forms of commerce. I am privileged to serve on the House Committee on Science and Technology, the committee with jurisdiction over technology policy, and I will be certain to keep your views in mind when the Committee or the full House of Representatives considers these issues in the future.

Again, I appreciate hearing from you. Please do not hesitate to contact me about other issues of concern to you in the future.

Sincerely,

John Sarbanes

Now I may be just jaded, but my read of his response is, “I’m not going to tell you what I’m going to do in the future. I’m not really that interested in your opinion. But thanks for writing me.”

Don’t get me wrong: I’m not necessarily against IP legislation. I do believe that it’s important to protect people’s work, and that if you take away the profit motive, there will be much less incentive for people to create. But I’m opposed to THIS legislation because it gives too much latitude to cause too much damage, without the subject even having the opportunity to defend themselves.

And don’t think that the companies and organizations involved won’t use that latitude to their complete advantage. They do all sorts of legally-questionable, morally-reprehensible things now, to even very small players, even without the legal backing. Take, for example, the recent behavior of Universal Music on the website Megaupload: They’re inappropriately using even the laws they DO have available, and then sitting back to see whether the victims will be able to afford to defend themselves.

That’s right. As it is, a large conglomerate can squash a small business flat, by litigating them to death. And that’s with the laws they already have. They don’t need this. And they shouldn’t have it.

To his credit, Pres. Obama has promised to veto this, if it comes to his desk, but it’s a funny thing about politics… Things change. But maybe, if enough of us start reading up on SOPA; start writing our Senators and Congress-people, we can stop this thing from actually becoming law.

Personally, I think this whole thing is going to go until the Webster’s Dictionary folks file suit against everyone in the country, including the Federal government, for unauthorized use of the words in their dictionary.

Intuit Failures

Uncategorized

At some time, on November 14, 2011, Intuit performed system maintenance across their online-service systems. And then something went horribly wrong. The systems didn’t work as they were supposed to. Online invoicing stopped working, as did their merchant-services payment processing system. Intuit quickly responded via Twitter and their Facebook page, telling everyone that they were aware of the problem, and that they were working on it. At some time between 8:00 & 9:00 PM (EST) that night, they updated their pages as follows:

“QuickBooks Online is back up and running. We apologize for today’s service disruptions and for letting you down. Improving service reliability is a top company priority right now.”

But this morning, things were still not working properly. As of this writing, it’s still not working. At about 11:00 AM (EST), they posted this follow up message:

As part of our efforts to improve service and increase uptime, we did maintenance work over the weekend which caused issues with several of our systems on Monday, November 14. We are experiencing the same issues today and in order to fix it have decided to take QuickBooks Online, QuickBooks Online Payroll, QuickBooks Connected Services, QuickBooks payments processing, GoPayment and all other payment processing services offline until at least 12:00 p.m. PST. No data has been lost. More info: http://bit.ly/tx620f

We’ll have to wait and see.

Now, for me, this is largely an inconvenience. It’s not hugely disruptive of my business efforts. But there are folks out there who use these services for their day-to-day operations. People who have stores that take credit cards are the ones who have been hit hardest. Imagine having to explain to your customers that you can’t take their payment right now. There’s talk of a class-action suit, which I could easily see happening. The natives are not just getting restless, they’re getting mutinous.

Businesses often have to perform maintenance or updates on mission-critical systems. These are typically scheduled during off-hours, so as to minimize impact on their customers. And Intuit did that. But for a mission-critical system, you typically try to have backups; possibly even backups to the backups, so that in the event that something goes horribly wrong, you can get something back into place, quickly, in order to minimize the impact on the users. This, it would seem, Intuit did not do – at least not very well.

This leads me to one of two conclusions:

  1. They didn’t do their jobs properly.
  2. They don’t consider these online systems as “mission-critical.”

If it’s the latter, that’s a major problem. Their customers are small businesses, and these systems, while perhaps not entirely mission-critical to Intuit, are definitely so for their customers! Under normal circumstances, my reaction would be something along the lines of, “If they aren’t that concerned for our business, maybe they shouldn’t have it.”

The problem, in this case, is one of monopoly. Intuit enjoys a fairly monopolistic hold on the small business financial software market. There is simply no other product out there that does the job QuickBooks does, with as much flexibility and power, and for as low a cost. There are many competitive products out there, mind you, but QuickBooks is the standard to which they are all measured, and there aren’t many that measure up very well, especially for the price. In the U.S., some 95%+ of small businesses use QuickBooks. So they’ve got us small business people essentially over a barrel.

Products like FreshBooks are great for some simple needs, but not nearly as powerful. And products like Peach Tree have a lot of power, but you really need to understand the underlying accounting principles to use it. And most small-business accountants out there love the ability to just take a copy (or Accountant’s Copy) of the file, and work with it on their own, without messing up anything live. Where are you going to find that sort of functionality and presence?

So we’re pretty much stuck. Any thoughts?

Security as a Forethought

Uncategorized

An article I read today on HuffingtonPost.com, talked about security researcher, Jay Radcliffe’s, recent experimentation on his own insulin pump and blood-sugar monitor. He discussed his findings in his Black Hat conference briefing. Basically, he found that these devices, and presumably others, could be compromised by their wireless capabilities. It could be possible to cause a monitor to display incorrect readings, or a pump to distribute insulin inappropriately.

“Everybody’s pushing the technology to do more and more and more, and like any technology that’s pushed like that, security is an afterthought,” Radcliffe said.

And that’s the problem: Increasing technological capabilities, with Security as an afterthought.

We’ve been doing this technology thing for awhile now. We know there are risks. We know there are people who want to circumvent or break systems, for a variety of reasons. Anything with any kind of connectivity must have Security as part of the original design plans; not something you try to patch later.

When Should I Replace My Computer

IT Tips Baltimore

When customers ask me whether it’s worth fixing their computers, I am often faced with a dilemma. The correct answer, for many of them, is that they need to replace their machines. But it’s an expense they may not want. At the same time, I don’t want to come off sounding like I don’t want to help them, and that the first thing to do is always replace them.

My rule of thumb has been, if the machine is over 3 years old, it’s probably better to replace it. Why? Because there’s a certain point at which you’re spending good money after bad. It’s usually not worth spending money on fixing an old machine, when the replacement cost is not much more than the repair cost.

Today, I saw an article on Yahoo! Finance that says just that.

“4. Computers and Electronics
Computers break – frequently. So do the myriad of electronic devices we have around our homes, such as CD players, GPS units, televisions and alarm clocks. Electronic devices can be expensive to fix, and often, impossible to fix. As the price of most electronics continues to decrease while the features and capabilities increase, it is often not worth the cost to repair them. This applies doubly to computers.

As new programs and online applications grow in size and complexity, they take up more memory. Older computers often cannot keep up after three or four years. While new memory can be added and minor repairs and disc cleanups can be made, using a clunky four-year-old computer often takes more time than it is worth. If time equals money for you, buying a new computer is often the best choice if the existing one is more than a few years old.”

This is especially true for business computers, where time really is money. The costs involved in fixing old machines, really can be more than the cost of replacing them. With the advent of Cloud Computing, a lot of old data doesn’t even really need to be migrated anymore. It lives in the Cloud, and can just be downloaded again. And if data needs to be migrated from the old machine to the new, we (or your IT service provider) can typically help with that.

Expectations of Privacy

Computer Security Baltimore

In the future, there will be no privacy. Truth is, there’s really not so much of it now, but in the future, we’ll all know it, and not be shocked or surprised when we discover that it’s been breached. Now isn’t that a cheery thought?

I don’t know if it will actually become Law, or just the understood de-facto situation, but it will happen. It will be due, in part, to “Big Government,” in all technologically-adept countries, but it will also be due in part to carelessness: on our parts (i.e. Consumers), and on the part of the companies we need to work with.

Our Part

As consumers, most of us are usually looking for the easiest path to just about anything. Whether it’s something that’s good for us, or not. We want it “easy.” That’s why we don’t fix our default FaceBook settings, unless someone posts something about how we should. It’s why we use the same username and password for every website on the Internet; why most of use passwords like, “Password” or “123456”, and why we keep even those on a piece of paper we carry around with us, or have it on a Post-It Note stuck to our monitor, or to the bottom of our keyboards (if we really want to be sneaky!), or maybe we even have it in an unencrypted text document called Passwords.txt, on our computer’s desktop.

We say we care. We even think we care. But we don’t – not really. Because “Security” is, by its nature, inversely-related to “Easy.”

The Companies We Work With

If we don’t care about our own privacy and security, why should others care? And so we have breaches at Sony, which compromised hundreds of thousands of user’s data, including usernames, passwords (which we’ve already established, we use for everything), real names, email addresses, and other bits of information. And what did people really care about? Well, the PlayStation network was down for a few weeks! They couldn’t play MegaGoryDeath VII! I don’t recall there being much out there about masses of people changing their passwords for everything.

This morning, I read Casey Halverson’s excellent piece about the Nissan Leaf’s new CarWings system. Now CarWings is intended to make things really easy for the driver, and frankly, it does a bunch of really cool things. Among those things, is an RSS reader, which enables the user to setup feeds from various websites, that it will then read to you. So you can listen to the latest CNN or FoxNews articles, while you drive. But it’s the GET request that Casey found so interesting. (An HTTP GET request is the message your computer sends to a web server, in order to request information from that site.) Usually, GET requests are formulated to provide certain information to the web server, so that the server can better provide the data to you. For example, it will usually contain the name of your browser, so that it can be used to better format the page for you. In this case, as Casey demonstrates, CarWings also includes your current latitude, longitude and speed, as well as your destination latitude and longitude, if you’ve put that into the GPS module. This information is sent in clear text across the GSM cellular data connection, to any site you point it at. At the moment, sites are probably not configured to actually use that information for anything, but in the future, it could be used to, say, enable local businesses to promote themselves to you, as you drive. Imagine driving down the highway and having the car tell you that you need to charge up the car, and that there are 3 charging stations within 5 miles of you right now, and that the Shell station at on Exit 35 has the best price today, but that the Exxon station at Exit 36 is offering a free car wash. Hey – that’s pretty cool. But now imagine getting a bill from the local police dept. because you were driving over the speed limit. Imagine a stalker knowing not only where you are, but where you’re going. Now it gets a bit more scary. And what if the rapist in the car behind you has a GSM scanner, and can discover where you’re heading. Now he can follow you at a leisurely distance, or perhaps even beat you there (think Little Red Riding Hood), instead of trying to find an opportune moment to do it.

But we like the “features” aspect of it all, so we don’t complain about these types of things – at least not loudly. And so there’s really no disincentive for manufacturers to pull this sort of thing. We just don’t care.

What can we do?

We can vote with our feet, and our keyboards. We can tell Nissan, and others, that we don’t trust them with that much personal data. That we aren’t going to buy the Leaf, even though we like the car otherwise, because we believe it’s an invasion of our privacy. We could rail, not whimper, when Sony or Best Buy or others get hacked and expose our personal data, which could have been much more protected had they taken the simple expedient of encrypting the data! Then companies wouldn’t even think of doing things like this. But as long as we just shrug our shoulders, and go on with our days, they won’t bother.

Is this what we want? Is it what we need? I guess that’s a political argument. I’m just reporting on the technology.

 

Can Macs get viruses too?

Uncategorized

This week we heard of two virus-attacks against Macs, out in the wild. But wait… Is that really possible? I thought Macs were immune to viruses!

Sorry folks, they’re not. Never were. The problem is that a lot of people don’t seem to really understand what viruses are, and what makes a computer vulnerable to them.

Basically, a virus is a program written by a person (they don’t just grow by themselves), for the purpose of attacking specific types of machines. Remember the Stuxnet virus that made the news in July 2010? That was designed to attack a specific Siemens industrial process control system, which was being used by Iran in their efforts to create nuclear weapons. That’s how specific viruses can be.

So why haven’t we seem them very often on Macs? My thought is that there are two primary reasons:

  1. Thusfar, the Mac platform has simply not been considered worth attacking because of Apple’s relative marketshare to Windows. Although recently, Apple has had tremendous increases in marketshare, there are still many more Windows machines than Macs out there. If you were going to write a virus to, say, steal credit card numbers from consumers, would you rather spend your efforts on systems with more users, or with relatively fewer users? More PCs (and frankly, more less-educated users) means more targets, and that means more compromised machines. (There are even fewer viruses out there that attack Linux systems, for the same reason.)
  2. Windows XP and earlier had a lot of security vulnerabilities. A lot more than Vista and Windows 7. So the operating systems were easier to exploit. And the vast majority of Windows machines still out there (at least as of this article) run Windows XP.

Given those two reasons: More opportunity, and easier to break – it makes sense that most viruses were written to attack Windows systems. But as Apple systems gain more market traction, they become much more attractive to malware writers. The fact that Mac users are not used to using anti-virus software can potentially make it worse. And the fact that Mac users have never had to worry about dirty social-engineering tricks that Windows users have had for years – like the ones used by the most recent attacks – can potentially cause this to become very bad, very quickly.

So Mac users – don’t be so confident that you don’t need antivirus software, and start being vigilant about where you go, and what you allow to install on your machines. This is only going to increase.

More on Malware Sites

Uncategorized

Since my last post about the Windows UAC function, and how it can give you early warnings about possible malware infections, I’ve had a number of people ask me for more information about the infections work. How do they get past your AV software?

AV Can Only Do So Much

The first thing to realize is that traditional anti-virus software has limitations. It can only find malware once it’s on your machine. And by then, much of the time, it’s too late.

What is User Account Control (aka UAC)?

Explanations, Uncategorized

The much-maligned UAC is an important Windows security feature that first made its debut in Windows Vista, and has continued into Windows 7 and Windows Server 2008. It’s a really important feature that we should all be embracing. But most people don’t really understand what it does; they find it annoying and largely ignore it. Worse, some folks actually turn it off, which removes a lot of the protections afforded by Vista and 7 over Windows XP.

In brief, UAC is the security feature that makes your screen go dark, and brings up a window asking you to Allow something to do something (i.e. install software) to your computer.

It is interesting that Macs have something very much like it, as do most current versions of Linux. But their users don’t seem to complain about it too much. I think this is due, largely to the way Microsoft chose to go about it, particularly in Vista. Windows 7 has done it a lot better, but I still think we have a way to go.

So what, exactly, is UAC? What does it do? Why do you want it?

In order to understand that, we have to go back a little bit…

Why XP is so vulnerable

There’s a concept in Security referred to as “Least Privilege.” The idea is that you give someone the least access you can, while still allowing them to do their job. It makes sense, if you think about it. You give all of your staff access to the email system and the Internet, but the Accounting Dept. also gets access to the financials, and HR has access to the personnel files. There’s no reason for HR to be rooting around in the accounting system, or for Accounting to be looking at whether Bill was reprimanded for that incident in the Break Room… The Janitorial folks, who come in when everyone else has gone for the day, have access to everyone’s offices, but not the network. That’s Least Privilege: Everyone has what they need, but not more.

Well, most people don’t really need administrative privileges on their local computers either. Certainly not most of the time. It doesn’t take an admin to write a Word document, or work on a spreadsheet. But those Microsoft Updates need to be installed, and there’s that new version of Firefox, and they really wanted to try that new utility everyone’s been talking about… In larger companies, those things are regulated by the central I.T. Dept. and that’s that. But at home or in smaller companies, it’s just easier to let people do those kinds of things on their own. So it’s typical, on Windows XP computers, to just give the local user administrative-privileges on their own computers.

The problem is that now you use that administrative-user account to go to some perfectly legitimate website on a server that’s been infected, and wham – things start popping up all over your machine. Nasty, vile things that you don’t want to see; that you certainly wouldn’t want your kids, or your boss, to see. Then you get a window that tells you that you’ve got 3 bazillion viruses on your machine, and that you’ve been barred from the Internet, but that for a mere $80.00, they’ll unlock their “malware removal tool,” which will immediately fix all the problems, and all will be right in the world again.

And then, you call me…

UAC

Now imagine that you didn’t have to worry about some of those things. Imagine that your computer automatically stopped the bad stuff from infecting your computer. Imagine that, instead, your computer told you that something was trying to install itself, and then asked you if you were sure you wanted it to install. Then you could say something like, “Hey – I wasn’t trying to install anything on my computer. I was just surfing on a website. Why is it trying to install stuff on my machine? That might be malware. I’m going to say No!”

Alright, stop imagining. That’s what Vista and Windows 7 are doing. In keeping with the concept of Least Privilege, your “Normal” account is now secretly a “Limited” account. And for most of your day, that’s fine. When something comes up that requires Admin-level privileges, instead of just telling you that you can’t install it with a Limited account, it asks you if you’d like to temporarily upgrade your privileges, in order to do that particular function.

That gives you the best of all worlds: You’re using Least Privilege at all times, without even knowing it. The bad guys can’t install things surreptitiously on your computer, because they don’t have the permissions required to do it. The only way they can get those permissions is by asking you! Sure, they’ll use Social Engineering techniques to try to trick you into saying Yes, but that’s more difficult. You can say No.

But Microsoft doesn’t explain that part so clearly. Instead, in typical Microsoft-ese, they tell you that “A program needs your permission to continue…” They don’t tell you what, or why. And you get frustrated because you’ve seen it before, like when you were legitimately trying to install Flash Player, and they freaked you out with that pop-up window, (because you thought it meant you had a virus). But it turned out to be okay. Now, you see that window so often that you just Allow everything without even thinking about it. Or maybe you’ve disabled it entirely, to prevent it from ever bothering you again.

Software Companies and UAC

Also frustrating is that many software manufacturers actually recommend that UAC be turned off, in order to get their software to run properly. They do it because their software isn’t really written to the Vista/7 specifications, but they wanted to get their applications to run on those OSes, without having to recode them a whole lot. This is most common with “Vertical Market Applications,” which are applications written for specific industries: Beauty Salon Management software; Medical Office software; Auto Shop software; things like that.

The companies that make these types of software are usually smaller companies, with very limited budgets. They don’t want to rewrite their software if they don’t have to. And they often don’t have to because there’s no push-back from their target markets. They don’t have customers threatening to switch to a competitor because of it. But they should! Essentially, they are saying that they don’t care about their customers’ security. They’d rather put your computers and your data at risk, than rewrite their out-of-date code to conform with new security standards. And since you don’t know better, you don’t complain about it.

Well, now you know better!

What else can I do?

So if you shouldn’t turn off UAC, what do you do when some applications just won’t run properly with it turned on? What do you do when the software vendor’s Support Team tell you that it’s not compatible with their software?

I’d like to say that you tell them that you’re going to switch to another application unless they fix the problem, but that’s not always realistic. I’d also like to say that Microsoft has provided a way to address it, but unfortunately, they haven’t really.

Microsoft did improve the UAC configuration set significantly in Windows 7. In Vista, there were two settings: On and Off. And the On setting was very annoying, giving rise to things like this commercial, from Apple. Windows 7 now has an additional option in between those two poles. Alright, they give you two, but they’re really identical, except for the question of whether the screen goes dark or not. This additional option(s) says that it will
ask you about some things, but not about others. It’s much less intrusive. But even this isn’t good enough, in my opinion.

There’s much talk from users about the possibility of a UAC “Whitelist”, which would allow you to specify certain applications as being automatically Allowed by UAC. I think that would be a great idea! It would enable you to avoid UAC problems for known applications, while still protecting your computer from the things you don’t want installed. Yes, it could lead to some compromises. You could expressly Allow malware to run, defeating the purpose of it. But let’s face it: you just can’t protect everyone from everything. And it would be better than having people turn UAC off on their machines entirely. But for now, that’s not an option. Hopefully, they’ll put something like that in soon.

If you’re a Vista user, there is a Norton tool that’s still officially in “beta,” which apparently does exactly what I was suggesting: It allows you to save a UAC setting for a given application, so if you Allowed it once, it will always allow it. The tool looks like it does a great job, but it doesn’t work for Windows 7 – I tried it.

Otherwise, in those situations, you may just have to turn it off. But you should be asking your software companies why UAC isn’t supported, and when they’ll have a version that works properly available. And you should be aware of the risks.

Microsoft Patch – MS10-046 – Critical

Uncategorized

Microsoft released a Critical patch today for pretty much all versions of Windows, from XP on up. (This doesn’t mean it doesn’t also apply to earlier versions; just that earlier versions are no longer supported.)

The issue behind this patch lies in that when you create a shortcut for something, Windows actually reads part of the underlying file to pick up things like the icon to use for the shortcut. Well, they’ve found a problem in the way that this works, and that very process of displaying the icon can be exploited, enabling code of the attacker’s choosing to run, with the privileges of the locally logged-on user.

In other words, you don’t even have to run the program, in order to be attacked. All they have to do is make an icon appear on your desktop, and when Windows reads the file to display the icon for it, it will run the malicious code with your permissions. Since many people use Windows XP with Administrator permissions, this means they own your system. And since many people with Vista or Windows 7 routinely ignore (or even turn off) the UAC warnings, they’re going to to own them too.

If your system is set for automatic updates, you’ll have already applied this patch this morning. If not, do! It’s a Critical level security patch, and it will likely require a system reboot – it did for me.