So, if you haven't heard by now we're all vulnerable. Meaning, that Microsoft has a zero day vulnerability out there, it's unpatched, and it's in functionality that's enabled by default. Yeesh... Anyway, Pete Lindstrom has been posting recently about how this particular bug is largely irrelevant. Pete's point is that because the vulnerabilty requires user interaction, that it's not an issue. No disrespect to Pete intended, but I'm not entirely in agreement on this one. Here's the crux of the argument - you have to go to a malicious web site to be impacted by this bug. Because of the need to follow a link to retreive the content ("user interaction" as mentioned in Pete's entry), only the people who don't read security alerts are likely to be hit. Allow me to interject the caveat that I haven't researched this vulnerabilty myself, but I'm going on what information I can find in the press (can be somewhat unreliable at times).
Needless to say, I disagree. Pete's underlying point is a sound one - namely, that not every security vulnerability is the end of the world. However, I don't think "clicking a link" is much of a barrier to prevent a user from becoming compromised - especially when so many programs will automagically retrieve html content and render it behind the scenes. Mail someone an HTML mail with a server-hosted image in it and you'll see what I mean.
Pete's guidance, "get a HIPS" and "don't click on it" do a disservice to the user in my opinion. In this day and age, I think our response to malware and vulnerabilities has to be better than "don't click on it"... as we should have learned from the eighties, "just say no" doesn't work. As to putting your faith in a HIPS - I just put a bunch of them through the lab for accuracy testing and let's just say I'm worried if that's the last line of defense.
Posted by Ed at December 30, 2005 07:11 PM