Reading Bugtraq today I saw this message about a “vulnerability” in Windows. Apparently — get this — if someone has the ability to install arbitrary system software on your computer, they can replace the SLL library used by IE and log all your internet traffic before it gets encrypted.
Somebody tell Al Gore to shut down the internet now before it’s too late!!!
C’mon, if someone is running arbitrary code on your machine it’s not your machine any more. Why even bother trying to spoof the SSL layer for IE when you could just, I don’t know, install a keystroke logger or filesystem watcher and get all the user’s data (instead of just their Hotmail password)?
And just what is supposed to stop the attackers from spoofing the tool that’s supposed to detect the spoofing? A spoof-buster-buster-buster? I don’t know.
End users are never going to learn about real security if they keep getting hit with messages like this. But I guess they might be scared into downloading a “security” tool if it helps them sleep better at night.
Of course if you were paranoid none of this would be an issue anyway.
Oh and it’s the second Tuesday of the month, so go to Windows Update and get the latest patches. They’re rated as “Critical”