Friday, January 06, 2006

First MS patch of the year is out

Make sure you install MS06-001 on your Windows machines. (Go to Microsoft Update or Windows Update and install the recommended patches, or get it directly here.) More regularly-sheduled patches come out on Tuesday.

It's always hectic when a 0-day exploit is released (that means there is a public exploit out there without a fix from Microsoft). Lots of interesting stuff happened with this one, but what struck me was the release of an "unofficial" patch for the issue. (I just used the recommeded mitigation and unregistered shdocvw.dll on my machines. That blocks the web and image-in-email attack vectors). I was surprised to see how many security companies and media outlets pushed the unofficial patch, despite the low level of testing and risk that many systems or applications could be broken.

I wonder if we'll start seeing unofficial patches for all 0-day critical exploits? Maybe Microsoft could release "alpha" (untested) patches for people to use at their own risk? At least then they would be signed and you could validate that you're not installing malware hidden as a patch.

No comments: