I think you should have to get a license to use a computer. I don’t know… I just reckon the idiots out there would disappear instantly if you did; or at least most of them would.

Last year a vulnerability was found in Microsoft’s WMF displaying technique. The vulnerability involved a buffer overrun in the WMF processor that allowed any code tagged into a WMF to run on your machine whether you allowed it to or not. The bug was so serious that Microsoft broke its once-a-week patching schedule and patched user machines as soon as they had a patch (albeit weeks after the vulnerability was discovered).

The security implications of this vulnerability are so enormous it’s hard to even put them into words. The news broke out about this story. It was huge.

And yet, for some unGodly reason, some idiots still haven’t patched their machines! 6 months after the patch was issued, the same vulnerability is being used to bag people who haven’t updated!

Here’s a clip from Neowin.net about the use of that vulnerability on both MySpace and Webshots:

Those using internet browsers such as Firefox and Opera are safe, but those using IE should really patch up. Microsoft released the patch in January, but a banner advert on myspace is all it takes for those unpatched machines to become infected. US computer security firm iDefense discovered the dangerous banner advert that has been seen on many MySpace pages. The code hidden in the advert exploits the WMF bug which preys on a weakness in the way Windows handles images.

Digital detective work by iDefense uncovered computer servers which logged how many times the adware was installed. Before the servers were shut down they had racked up more than one million installs. This shocking figure gives us an understanding of how many users out there forget to update their computers.

No. It actually gives us an idea of how many people are using an inherently insecure operating system where patching is voluntary and not doing so is damaging to the rest of us. Considering how many people use WIndows, maybe it’s about time Microsoft instituted mandatory patching. It’s obvious from the sheer volume of people being infected this many months after the patch was issued that most Windows users probably don’t understand security well enough to do anything about it or comprehend the urgency in doing something.

For reference on the vulnerability, see Episodes 20 and 21 of Security Now here.

Technorati Tags: windows, wmf, myspace, spyware, adware, security