By Susan BradleyAll Windows users need to be aware that Microsoft never links to downloads in its e-mail messages, but always requires a visit to a security bulletin landing page to download a patch.
If you receive an e-mail containing a link promising to upgrade Microsoft Outlook or Outlook Express, you should simply delete the message to avoid being nailed by a Trojan horse.
Many Windows Secrets readers have recently received these fake e-mails. The scams have focused on asupposed upgrade for Outlook and Outlook Express — e-mail clients widely used in businesses.
Insider tips, how-tos, best security practices, and more
The Windows Secrets Newsletter brings you essential tricks for running Windows XP, Vista, 7, Internet Explorer, Firefox, Windows Update, and more — weekly, free.
Bonus: get this free download when you subscribe
Interested in Windows 8 but don't know where to start? You have a friendly guide in My Windows 8 Consumer Preview: A Sneak Peek at the Windows 8 Public Beta, by Katherine Murray. This month, all subscribers can download Chapter 1 and Chapter 5. In this excerpt you will learn about the new look of Windows 8, how to make things happen in it, how to use the apps that come with it, and how to get more apps.
We guarantee your privacy: We will never sell, rent, or give away your address to any outside party, ever. We will never send you any unrequested e-mail. Unsubscribe requests are honored within one business day. Privacy Policy
The reason I’m writing today’s short Patch Watch column — which is outside my usual twice-a-month schedule — is that a high number of these e-mails have reached people’s inboxes, somehow evading the usual junk-mail filters.
These fake Outlook patch alerts have affected PC users worldwide. I even found a post from a Microsoft forum in China asking about the e-mail’s validity. As the Sophos blog explains, if you follow the instructions in the bogus message, it results in your running nasty hacker code.
Actual security bulletin notices from Microsoft are quite dull. They never include direct links to the downloadable patch. Instead, they require you to go to a bulletin landing page. Most importantly, they’re always signed with a PGP signature. (See Figure 1.)
Figure 1. Microsoft’s security-bulletin e-mails are always identified as PGP SIGNED.
When in doubt, always download patches directly from the Microsoft Update site. Even considering the recent problems with update notifications that don’t always appear in Windows as expected — see this week’s Top Story for details — you should always download updates for Windows and other Microsoft software only from Microsoft servers.
The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received an MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.
Related posts:
