After another security hole recently surfaced in Microsoft's
Windows operating system, the software giant released a
patch this past Friday to plug the possibly devastating
"back door" which allows hackers to potentially seize
control of any pc running Windows.
The latest threat, "Download.Ject," infiltrates computers
after users surfing with Microsoft's "Internet Explorer" web
browser visit websites infected with the virus.
This newest security patch covers Windows XP, 2000, and
Windows Server 2003.
Several factors make this latest development more disturbing
than past discoveries of security problems with Internet
Explorer, currently the most dominant web browser on the
First, it demonstrates very clearly that criminals
discovered they can use the power of viruses to very
profitably steal important bank, personal, and credit data
from people on a large scale.
Second, it took Microsoft what many would consider a very
long time to come up with a patch for this problem.
Before a fix appeared, Microsoft told everyone who uses
Internet Explorer to stick their finger in the dyke by
putting their web browser security settings on high,
rendering it impossible to view or use features on many
websites and web-based services.
Third, expect this to happen again as new holes open in the
future when Microsoft makes Windows more complicated, adds
layers of code, and generally makes the operating system
This may sound like business as usual, however, I think
this story actually points to a much deeper problem, one for
which I'm not sure a simple solution exists.
Though free and reasonably reliable, many people do not
automatically update their Windows operating system through
the update service on Microsoft's website.
(I won't even get
into how many people don't operate up-to-date anti-virus
Whenever Microsoft publishes a security update, especially
for a highly publicized and obviously widespread security
breach, thousands of people will not immediately download
In fact, tens-of-thousands of users will not download these
security updates for days, weeks, even months (if ever).
So let me ask what seems like a very elementary question: By
publishing security updates that point out very obvious
flaws in their system, doesn't Microsoft also point the way
to exactly where the holes exist?
Let me put it another way.
Doesn't this rate the same as discovering that the local
bank vault won't lock and then announcing the details on the
front page of the paper along with the dates and times no
bank guard will be on duty?
After all, if tens-of-thousands of users won't immediately
get the Microsoft Security Patch, don't those patches show
hackers exactly which holes get plugged (and which,
logically, must already be open without the patch)?
It doesn't take a hacker with more than a basic set of
skills to recognize where and what holes got fixed and then
reverse-engineer how they can get into computers that don't
Now, do I have a concrete, 100% bullet-proof answer to this
problem? Unfortunately, I don't have more than a common-
At this point, your best defense rates staying current on
the latest threats and how to defend against them.
Keep your anti-virus software current, your firewall up, and
your Windows software updated with the latest security
Though not a perfect solution, at least you'll have a
fighting chance to prevent, or at least minimize, any