[LINK] Animated cursor flaw in All Windows

Stilgherrian stil at stilgherrian.com
Wed Apr 4 16:05:55 AEST 2007 

On 4/4/07 3:27 PM, "Mike Shearer" <mike.shearer at jcu.edu.au> wrote:
> 1.  does an average JC ever find out about these MS security alerts?
> I've only heard of it so far thru Link.

Essentially you don't. Microsoft, like pretty much all software vendors, has
public mailing lists and RSS feeds to inform people of updates and security
warnings, and it's "general knowledge" that all software needs updating --
though of course "general knowledge" is a tricky concept. Most people do not
choose to subscribe -- but then do you also subscribe to other update info
the other products you buy?


> 2.  is it intended that the average JC should be able to make any sense
> out of them? 

No, they are aimed at IT professionals -- in the same way that if Ford had a
recall notice, the "what to do" information would be aimed at qualified
mechanics. The "end user" would be told to take their car to a mechanic.


> 3.  what is actually at risk for a user such as I've described us if
> they are ignored?

An attacker can do whatever they like with your computer. At the low end of
risk it's about you're computer running slowly because it's being used for
other things -- sending spam, distributing porn.

More dangerously, and pretty standard, is that the attacker monitors
everything you do, getting your credit card numbers, banking logins, name,
address and everything else they need to steal your identity and do you
financial harm. Indeed, getting this info is usually exactly the purpose of
the attack.

> 4.  what is actually at risk for OTHER USERS  if we ignore them?

Your computer becomes part of the network of zombies spreading these attack.


> 5.  are MS service packs installed as part of the MS automatic updates?
> How can you find out what exactly MS has been updating, and why?

"Service Packs" usually not, as they often introduce so many changes that
something might go wrong -- especially in terms of compatibility application
software or drivers for hardware devices. The decision to install a service
pack is therefore something to handle manually.


Stepping back, I think part of the problem is that the marketing department
peddles the idea that "computers are simple". They're not, they're very
complex machines -- and like all complex machines they need to be maintained
by people who know what they're doing.

As with your car, your "average Joe" user has a choice: take it to the
mechanic and have it serviced properly, learn to be a mechanic -- or
neither, and have endless problems.

Stil


-- 
Stilgherrian http://stilgherrian.com/
Internet, IT and Media Consulting, Sydney, Australia
mobile +61 407 623 600
fax +61 2 9516 5630
ABN 25 231 641 421

More information about the Link mailing list