This is an Open Trackbacks Alliance post. Link to this post and track back all weekend long. More below the mishmash (which includes some info anyone who uses Internet Exploder or Outlook MUST read!)
If you’ve not heard of it yet, on Tuesday Microsoft acknowledged a(nother!) serious security flaw in Internet Exploder (and by extension also in the html rendering in Outlook/Outlook Express) that you MUST take seriously.
To deal with this security flaw, you have two paths to take at this time, since Microsoft has NOT issued a patch:
1.) Stop using Microsoft’s internet applications! Stop it! Now! I use Opera for my browser, email and newsfeed client. I don’t really need to use Internet Exploder, unless some jackass website builder requires Active X components to load a site I NEED to use. (And in most cases, I’ll get on the phone to ’em and chew ’em out for it.)
2.) Kludge through the workarounds:
From Microsoft’s Security Advisory 925568, under Workarounds, in addition to UN-registering the vgx.dll (Click Start, click Run, type “regsvr32 -u “%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll”” (without the quotation marks), and then click OK.):
Read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector
Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version and Microsoft Outlook Express 6 users who have applied Internet Explorer 6 Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only. Digitally signed e-mail messages or encrypted e-mail messages are not affected by the setting and may be read in their original formats. For more information about how to enable this setting in Outlook 2002, see Microsoft Knowledge Base Article 307594.
Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:
1. The changes are applied to the preview pane and to open messages.2. Pictures become attachments so that they are not lost.
3. Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.
OK, don’t say you weren’t warned. For my part, the machines around here are all having the vgx.dll unregistered, and I’ll simply keep on using Opera for all (well, 99.99%) my web browsing, email and RSS feeds.
UPDATE: Released today by ZERT: third party patch for the VML vulnerability from the “Zero Day Emergency Response Team”—NOT a Microsoft patch.
BTW, see the foot of thos post (“read more here” below the Open trackback reminder) for a few personal observations about Microsoft and security holes/vulnerabilities.
This is an Open Trackbacks Alliance post. Link to this post and then track back. If you want to host your own linkfests, check out
Also note the other fine blogs featuring linkfests at Linkfest Haven.
There are several issues working together to make many Microsoft products—OSes, Office Software, Web software—insecure in many different ways. First, of course, is that Microsoft is THE big target. Yes, there ARE malware that can attack Mac OSes (including OS X) and Linux. But the Mac OSes make up a miniscule part of computing—charitably around 5%—and Linux not an aweful lot more, at least compared to Microsoft.
But it is true that both Mac OS X (developed out of BSD, a Unix code based OS) and Linux are harder to “break” than any Windows OS. A large part of that is that Microsoft has tried to make Windows all things to all people—it’s much more flexible fronm a user standpoint than Mac OSes have ever been, for example, and much easier to “play with” than Linux. Both of those make Windows easier to attack and to break.
Then there’s the fact that with such deep and wide market penetration/share in its highly profifitable applications market (including sales to Apple users—Microsoft still sells more software to Apple users than even Apple does), Microsoft has continued to make its OSes and aplications backward compatible, increasing software bloat and complexity to the point that it is almost impossible for there NOT to be major exploitable holes and gaps in its software. Until now, Microsoft has avoided just starting over from ground zero (as Apple almost did with OS X–almost, but not quite) largely, though not solely, because of this attempt to maintain some backward compatibility.
There are other reasons, including the way the Microsoft corporate atmosphere seems to be a weird mix of cluelessness in some areas and rigidly blind in others (IE 7 is still not as standards-compliant as the first iteration of Firefox or the outdated Opera 8, for example), but suffice it to say, if one is running a mission-critical computer using a Microsoft OS and application software, one MUST be proactive in maintaining the thing.
For me, that’s not a problem, cos I kinda enjoy tinkering. (Heck, for years I saved malware folks sent me in emails–malware that my anti-virus software had sequestered/deleted and that I’d recovered)–as simple plain text files to look at and kinda play with to see how they worked. For fun. No, I have never infected my computers—or anyone else’s, since I haven’t allowed mine to be infected—with any viruses, trojans or worms (Oh my!). But I do still have plain texts of code snippets around here somewhere just cos it’s interesting and fun to look at how they work. So, yeh, I kinda enjoy keeping our computers up-to-date. But if you don’t like messing with that kinda stuff all the time or find it a hassle, consider checking out Ubuntu or Puppy Linux–both good distros that are easy enough for the proverbial “Aunt Tilly” to use.
Please visit my website to read more about the Citgo boycott and another organization who is coordinating efforts as well. Click for here more details.