You’d have to be living in a cave to not have heard news last week about a Windows security flaw that’s already being talked about as one of the worst, and most dangerous, ever found. (The executive version: there’s a flaw in a part of Windows devoted to interpreting image files that lets those image files contain actual program code which can do Very Bad Things to a computer. And the worst part is that all someone has to do to trick the computer into running that program code is get that computer to display the trojan-horse image — like getting the user to surf to a web page, or even just read an email. Microsoft’s security bulletin is here.) While I’m not usually prone to Microsoft bashing, it’s a pretty pathetic statement that the bug was found last Tuesday, and the danger of the bug was validated the very next day, but we’re now six days later and don’t have a patch from the folks in Redmond. And sadder still, a patch has been written by someone totally unaffiliated with Microsoft, Ilfak Guilfanov. (The well-respected Windows security expert Steve Gibson explains how Ilfak’s patch works here.) If I were administering a slew of Windows machines, I’d have to think long and hard about not distributing Ilfak’s patch as soon as possible, and then uninstalling it once Microsoft gets around to issuing something more official.
Update: now that the folks at SANS (possibly the most knowledgeable and well-respected computer security experts in existence) are recommending using Ilfak Guilfanov’s patch, I think that sysadmins who choose not to use it are asking for their networks to get compromised. They’ve also produced an MSI installer that is suitable for unattended installation via policy files, something that should make most admins of large Windows sites pretty happy.