January 24, 2010, 12:00 PM — I still think that the safest thing you can do about your Web browsing habits is to switch from IE (Internet Explorer) to Firefox or some other browser. But, if you're wedded to IE 7 or 8 -- please, please stop using IE 6--Microsoft has made a fix available for all versions of IE. If you're reading this and you haven't upgraded your copy of IE yet, do yourself a favor, do it now. I'll wait for you.
OK, using updated IE or some other browser now? Good. Now, for the bad news, it turns out that Microsoft knew about this critical bug since last August!.
Some people are making excuses for Microsoft that five months isn't too long for them to fix this, and seven other serious IE bugs. Please. Give me a break. Serious security bugs are found and fixed in open-source software in days or weeks. Why should Microsoft get a free pass?
In its last reported quarter, Microsoft had a net profit of more than 3.5-billion dollars. Is it too much to ask for that they spend more of that on patch programming and quality assurance?
But, what worries me far more than Microsoft's tardy ways when it comes to fixing major problems is that a relatively unknown bug was used in the attack. Usually, criminal hackers are a lazy lot. They wait until some security researcher or the other reveals a security hole, and then they attack it. Or, more likely still, they wait until a company announces a patch for a known security hole, and then they jump on it.
In other words, they're not really hackers at all. They just have a bag of trick attacks that they deploy once someone else has shown them the way to a security hole. That's why it's so important to patch your software the second a fix is available. It's that brief period between when a security hole is fixed and most users have patched it that the crooks have their best chance to corrupt the most PCs.
That wasn't the case here though. This time, someone, Google claims the Chinese government, worked on a very successful attack before the security hole was publicly acknowledged, much less fixed.
This indicates to me those China-based hackers, or some other group that's not made up of lazy crooks, is now turning their attention to exploiting Windows' myriad security holes. This is bad, bad news.
In the past, if you kept your Windows and its software up to date with patches and used security software, you were relatively safe. Now, now I'm not so sure.
It also makes me worry about Linux and Mac OS X. Yes, they're both inherently more secure than Windows, but that doesn't mean they're perfectly safe. They're not. No computer operating system is. They're just much harder to attack. But, if some large, well-funded group with technical savvy is now working on not just exploiting security holes, but finding them, then it makes sense for all of us, no matter what we're running on our computers, to be much more cautious. Be careful folks. It's getting ever more dangerous out there on the Web.
