No news here, move along… eEye Security apparently wasn’t getting its name in the papers enough, so they blabbed to the media that they had discovered yet another exploit in Outlook and Internet Explorer (including exploits that work in Windows XP SP2) and had reported them to Microsoft on March 16th and 29th. InfoWorld and eWeek picked up the story, echoed on sites like OSNews and, well, here 🙂
Since the exploit is in all recent versions of Windows, and most users run as an administrator (or have no choice, on Win9x), an exploit such as this means a malformed web page or email message could take over your machine, letting evildoers steal everything on your hard drive. eEye officials express concern over a “Zero Day Exploit,” a malicious attack before the exploit is patched. If only a small percentage of the estimated 500 million vulnerable Windows machines are exploited, we can anticipate serious disruption and millions in cleanup costs, as we have seen from previous Windows exploits.
What can you do?
First, stop running as administrator – create a power user account and log on as that user. That may not prevent your machine from being compromised, but it can limit the damage done.
Second, stop using the affected software. Enterprise users of Exchange-Outlook may find some trouble finding a replacement for all of the “integrated” features, but when the alternative is continuing, never-ending security exploits, well, compromise is called for. Responsible IT departments are already evaluating workgroup software from other vendors or those packages available under a free license. Make sure yours is.
If you don’t have enterprise Outlook dependencies, consider Thunderbird as an email client replacement.
Replacing Internet Explorer is both more difficult and easier. Get FireFox. It’s just better. Got applications that won’t run without IE? Get rid of them – keeping Typhoid Mary around because it’s so hard to find a good cook just doesn’t make a lot of sense. Cut your losses. You can’t remove Internet Explorer from your computer – Microsoft claims it is an integral part of the operating system, but you can remove its associations and use as the default applications – a quick Google search yields 800,000-plus hits for “disable internet explorer” pointing to sites like About.com. As part of its anti-trust settlement, Microsoft was required to make a utility available to switch default email and internet clients – In Windows XP, check under Control Panel, Set Program Access and Defaults.