Be careful what you wish for...

[lordshipmayhem]

How many of you have ever wished to see a geek panicking?

Me neither.

But I do have a linkie to a panicking geek. He works for the SANS (SysAdmin, Audit, Network, Security) Institute, one of the biggest independent institutions out there dealing with system security. In other words, when he says it's time to panic, it is definitely time to panic.

The basic story: There's an unofficial patch available for the WMF vulnerability, and he's doing the unthinkable: Recommending that you install the UNOFFICIAL patch, rather than wait for an official Microsoft-approved patch. F-Secure is advising the same thing.

It all makes for a somewhat terrifying read, if only for the damage the can do to your friends' computers' operating systems. He very much sounds like he's fearing Tuesday, when everyone goes back to work and powers on their workstations for the first time in maybe a week and a half.

Comments

[kats-kradle.livejournal.com]

Perhaps it's because I'm not techno savy but I don't see a link to the patch we're supposed to install anywhere. Just a 'Download it!'.

[lordshipmayhem.livejournal.com]

The "Download it!" is actually aimed at system admins, not home users. The patch can be found with some judicious looking for the Internet Storm Centre links, which you can get from SANS' home page.

Here are some links for more info:
- F-Secure's take on this (http://www.f-secure.com/weblog/)
- F-Secure's recommendation for all users (http://www.f-secure.com/zero-day/)

F-Secure's recommendations for you, the non-techie home user to use:
- Do not use Internet Explorer, full stop. Use either FireFox or Opera. (they don't automatically run scripts off of .wmf files, which means you're safe from .wmf's on websites)
- Do not click "Yes" on any e-mail attachment with .wmf extensions.
- Update your antivirus. AVG makes one that's available for free for home users, I think F-Secure's version is "free to home users" as well.
- Turn on your Windows Automatic Updates so that when they produce a patch for XP you can get it right away. (Of course if you've got an earlier OS, fagetaboutit, it's not supported so they're not likely to produce a patch for it. Either upgrade to XP, or pick up a copy of Linux for Dummies. I have a copy of that book.)

By the way, according to F-Secure, we can add Windows 2003 to the list of endangered OS's - hey, isn't that SERVER software?!?

(The crackpot thing about this is, this isn't a newly-created security hole, it's a feature of ancient vintage that should have been removed with the Win98 or Win95 release.)

[flamika.livejournal.com]

I made my way over here from Ysa's journal, and I was wondering where I can download the AVG antivirus software? Man, this is so scary. >_>

[lordshipmayhem.livejournal.com]

One source (there are others out there):

http://www.grisoft.com/doc/289/lng/us/tpl/tpl01.

I find a monoculture like Windows scary, especially considering the petri dish that passes for "secure programming" in M$'s world. Linux isn't a monoculture: you don't have the same application software everywhere, like Internet Explorer - I've got three different browsers to choose from, and that's just what's installed (FireFox, Konqueror, Ephiphany), there are even more out there.

I strongly encourage all friends to at least check out Linux. They've got several "live" distributions you can check out without actually committing to anything - runs off a CD in your CD tray rather than installing on the hard drive. There are also a few good guides for non-geek newbies, like Michel Gagnon. The thing is, except for tax prep software and some games, there are plenty of Open Source alternatives out there. The only things Linux doesn't have: Viruses and worms.

Myself, I dual-boot between Windows and Linux at the moment. When it's running on Windows, the router and modem are powered OFF. (The next computer will have Win4Lin/Windows, which means I won't need to get out of Linux to run a Windows session. But that calls for plenty of memory, and my current computer would need more memory.)

[flamika.livejournal.com]

Thank you!