planned obsolescence and another major vulnerability

Well, I'm due back from Jamaica tomorrow - but since I didn't go, I'm here to tell you about what's going on in your computer world instead. In fact I just got back Wednesday from 5 days over on Vancouver Island as a kind of consolation holiday - so I'm fired up and ready to go again; amazing what a few days away from the threat of e-mail does ;)

In the interests of furthering our education on what happens when somebody finds a potential hole in software that might lead to "the bad uglies" out there taking control of your computer system without your knowledge/authorization, I'm going to go into a bit more detail than normal about a new problem that has only recently been established.
first a bit of news from your favourite "love to hate" company.

An article in News.Com tells us that good ol' Microsoft has all but abandoned their operating systems prior to XP with the note that only XP's version of Internet Explorer will get any security updates in the future. Since IE is felt by many to be THE major security hole in Windows and since it is incorporated into virtually every piece of software most people use daily, (it renders web pages and URLs in Outlook/Express, Word, Excel etc. and is part of the file browser) this doesn't bode well for those using the older OS versions.

Taken in concert with the latest vulnerability focus - that of the software that turns JPEG graphics into what you see on the screen (rendering) - the time may be right for you to look hard at changing your web browser to something else (and using some other software than Microsoft's e-mail and office suite too).

This JPEG vulnerability affects Windows XP if you have not installed the SP2 patches. See: http://www.auscert.org.au/render.html?it=4409 for an explanation of what the problem is. This bulletin says they have not confirmed the problem in IE, but it has since been established that IE does have the problem.

This article: http://asia.cnet.com/news/security/0,39037064,39194791,00.htm shows that sample code to take advantage of the bug has already been created - only a week or so since the formal notice that there was such a flaw. As noted in the article, "such code preceded the Sasser worm by two days and the MSBlast worm by nine days." So the time to act is now, before an exploit is "in the wild", especially since everyone views JPEG files every time they open a web page.

So you don't think I'm only bashing Microsoft, I'll note that a similar problem exists in older versions of Mozilla - the browser I use on Linux and which is also available (and my preferred one) for Windows. See: http://secunia.com/advisories/12526/ for the ugly details if you are interested

Just in time it seems, http://www.mozilla.org has released new and updated versions of their browsers and e-mail software. I highly recommend that you add these to your desktop on Windows and use them instead of IE (and use Thunderbird for e-mail) This software is free, covered under the GPL (www.gnu.org for details of the license)

For those who just can't give up Outlook (2000, 2002, 2003 only) the following page has a program that adds more control over what attachments are "automatically and transparently" executed - such as HTML and image retrieval. See: http://www.slovaktech.com/attachmentoptions.htm to download the program. Note that I have not tried this because I don't use Outlook, I use Evolution, an Outlook look-alike that runs on Linux and that already has this kind of control.

For an alternative office suite look at: http://www.openoffice.org/