A ridiculous “security” tool

Reading Bugtraq today I saw this message about a "vulnerability" in Windows. Apparently -- get this -- if someone has the ability to install arbitrary system software on your computer, they can replace the SLL library used by IE and log all your internet traffic before it gets encrypted.

Somebody tell Al Gore to shut down the internet now before it's too late!!!

C'mon, if someone is running arbitrary code on your machine it's not your machine any more. Why even bother trying to spoof the SSL layer for IE when you could just, I don't know, install a keystroke logger or filesystem watcher and get all the user's data (instead of just their Hotmail password)?

And just what is supposed to stop the attackers from spoofing the tool that's supposed to detect the spoofing? A spoof-buster-buster-buster? I don't know.

End users are never going to learn about real security if they keep getting hit with messages like this. But I guess they might be scared into downloading a "security" tool if it helps them sleep better at night.

Of course if you were paranoid none of this would be an issue anyway.

Oh and it's the second Tuesday of the month, so go to Windows Update and get the latest patches. They're rated as "Critical"

Comments (8)

  1. moo says:

    I dont think a blanket "get all the latest patches" is a good thing to recommend. I regard it as foolish. Evaluate whether you need the patch or not.

    No point in installing a patch if you are not running a service that its patching for example.

    Can we have a list of changes made in the patch? Like, what was the problem and what it fixes along with a repro scenario to test this.

    Usually its a bit too vague on the KB article.

    I guess this would depend on what level you are targeting, with automatic updates I would imagine the Consumer level you are talking about as enterprise level would run SUS etc.

    Why can we not modify /etc/hosts file with wildcards instead of EXACT matching, this would save a huge amount of entries and problems.

  2. Eric Lippert says:

    > No point in installing a patch if you are not running a service that its patching for example.

    There’s also no point in NOT patching a service you’re not running. Suppose a patch comes out for a service that’s not running. What is the worst possible outcome of (a) patching, and (b) not patching?

    In (a) the worst possible outcome is, uh, actually, I can’t think of a bad outcome of patching a service you’re not using. Even if by some terrible accident the patch is broken, how would you know? You’re not running the server.

    In (b) the worst possible outcome is you don’t apply the patch, next week someone turns on the service, and is immediately "ownzored" (I am so elite!) by some zero-day exploit, and someone runs the Malware Of Ultimate Destruction on your box.

    (Google "Malware of Ultimate Destruction" for my essay on the subject.)

    Now, that’s not to say that Peter’s blanket advice is good advice for everyone everywhere. If you’re reading this and you’re the guy who rolls out patches to ten thousand desktops at Ford or Boeing or something, you maybe want to try out that patch on a small subset of your network first, and carefully evaluate the results. (But then again, I bet you knew that already…)


    WARNING! If a attacker puts malware.exe into c:documents and settingsall usersstart menuprogramsstartup ….


    I agree – it’s only a security threat if IE was stupid enough to (say) load the DLL from Tempoary Internet Items or something or something else that users couldn’t reasonably expect.

  4. While we should regard these as stupid as you say, I also think that the system should provide a form of protection under these scenarios. The new features of protecting critical system libraries from being replaced is stellar, and maybe should be extended to applications, such as IE, or even arbitrary user applications.

    At least then, when the fool downloads and runs arbitrary code, they know the arbitrary code is possibly doing something wrong. The end result is that a lot of files are being passed around the Internet in the form of cool apps, games, or whatever, and at any time, you might run something from a trusted source that contains a trojan your most trusted friend didn’t really know about.

  5. Jack Mayhoff [MSFT] says:

    I say we take off and nuke Redmond from orbit, its the only way to be sure.

  6. Peter Torr says:

    You can’t make that kind of decision — you’re just

    A GRUNT!

  7. Personally, I think aluminum foil deflector beanies are the way to go.


Skip to main content