| By Susan Bradley |
By now you’ve opened your presents and you’re playing with your new tech toys — but don’t let the Grinch spoil your holiday season.
Let’s take a quick look at some flaws that Microsoft hasn’t yet patched, and which people may use to try to scam you this season.
Unpatched issues to look out for
Incidents.org recently published a recap of 10 security holes that Microsoft still hasn’t patched as we enter the New Year. Some of these were publicly disclosed as long ago as Oct. 20, 2006.
One exploit, first disclosed on Oct. 24, involves ActiveX controls that can crash Internet Explorer and possibly infect a PC. This flaw is rated “critical” by the Internet Storm Center, but the recap does provide a workaround that advanced system admins can use to close the hole. No patch or update is yet available for beginning and intermediate users, unfortunately. (If you don’t know how to “set a killbit,” wait for a patch to be released.)
The other threats that are the most urgent are three “unspecified vulnerabilities” in Microsoft Word. These exploits, which can infect a PC even if Word macros are turned off, have led some firms with strict security policies to block all Word document attachments.
I believe that this policy is extreme at this time. The threats became known only this month, and I haven’t seen widespread use of the three exploits. The reality with any e-mail attachment is that only attachments that you’re expecting should be opened. If you’re not expecting an attachment, don’t open it. If in doubt, call or e-mail the sender to confirm.
Further details on eight of the unpatched security holes are provided in eEye Digital Security’s Zero-Day Tracker — a Web page that links to complete descriptions of the problems.
The first Vista security issue?
Last year at this time, we were all trying to protect against the Windows Metafile (WMF) vulnerability, which could infect you if you simply viewed a hacked image on a Web page. This issue was corrected by Microsoft in its first (out-of-cycle) patch of the year, MS06-001.