You know, "if you want a job done properly, then do it yourself". Along comes our open source white-hat knights in shining armour to save us poor, unworthy, closed-source code users from the insecure tyranny of "Micro$haft".
The only problem was that the patch was a complete turkey.
So what did this patch, designed to eliminate a vulnerability that would assist fraudsters in tricking users through social engineering, actually do? According to German tech site Heise, the OpenWares.org patch actually introduces a serious buffer overflow when it is installed. This much more serious vulnerability allows attackers to take full control of a targeted system. Oh, that's great. Much better, thanks guys!
The patch sought to eliminate a somewhat trivial, but nonetheless newsworthy, URL spoofing vulnerability that would have made it marginally easier for "phishers", or fraudsters, to trick unsuspecting Internet users into clicking on links in scam e-mails. These are the scams that come around every now and then, asking users to "revalidate" their Paypal or Internet banking accounts.
The URL spoofing vulnerability allows an attacker to craft a link that looks genuine -- once a user clicks on it, the address bar of the browser will display a trusted URL, like the address of a login page for the victims Internet banking service, but the actual content being displayed could come from anywhere. Like a server hosting a fake login page designed to capture the details of the less savvy among us.
With this in mind, best practice dictates that a hyperlink in unsolicited e-mail should never be trusted, which is why my belief is the vulnerability should be fixed, but it isn't a critical or urgent matter. Put the fix in the next roll-up patch in a few weeks and be done with it.
The graphic designer who found the vulnerability, Sam Greenhalgh, sent me an e-mail soon after the details of the issue were published by ZDNet Australia. In it he made some very good points.
"Much as things such as XP's integrated firewall and a huge growth in virus protection have made Bob the home user far more secure, the gaping hole in Bob's security remains Bob himself," he wrote. "The glorified portrayal of 'hacking' that the media presents goes no way to making users any more aware of the painfully simple social engineering that they see everyday whilst being duped by all those terribly generous Nigerians who want to give me their money and the numerous updates that Microsoft personally email to me."
Version 2.0 of the OpenWares.org patch is available, but I think I'll give it a miss.
The moral of this tale? Downloading and installing patches written by random strangers probably isn't such a good idea. Oh, and stop clicking on those links in spam.
Open sores software is a joke. I tried to run Linux it has more patches than Windows ever had and nothing seems to work right.
As if I would install a patch from a company Ive never heard of, these guys need to do something else.