Worry, worry, worry, worry

Worry No. 1: Last night I was researching songs about the Earth for my son’s fifth grade class. In the process I found a Web site that caused my copy of Symantec’s Norton Anti-Virus to go into hysterics.

What Norton found was a threat that the company calls MHTMLRedir. This is an interesting hacker exploit that, according to Symantec, involves a Web page containing “specially crafted, HTML code that can download and execute programs without prompting you. This threat only affects Microsoft Internet Explorer.”

Symantec went on: “Under normal conditions, Internet Explorer would prompt you before allowing any executable content to be downloaded and executed on the system. This vulnerability in Internet Explorer allows specially crafted HTML to bypass this security prompt.”

Microsoft issued a patch for this problem – “Microsoft Security Bulletin MS04-013, Cumulative Security Update for Outlook Express”  on April 13, and while the bulletin’s title only refers to Outlook Express, in the text it says “an attacker [could] access files and take complete control of the affected system. This could occur even if Outlook Express is not used as the default e-mail reader on the system.”

So, if I have been rejecting patches offered through Microsoft’s automatic Windows update system because I don’t use Outlook Express, am I potentially, to use a technical IT term, screwed?

Let’s bottom line it, baby: This means the patch isn’t for Outlook Express at all! It means the patch is for the operating system. So, which Microsoft product manager should I shake warmly by the throat for this ridiculous, dangerous and unnecessary obfuscation of the truth? I am seriously worried.

Worry No. 2: What other Microsoft patches fix things that we don’t know about? A suspicious person might conclude that if the company doesn’t tell you what the patch is really for, then Microsoft might also be patching things that no one knows are broken. We should be worried.

Worry No. 3: But let me be really paranoid: Microsoft easily could be adding code to our systems that we know nothing about.

Given that Adobe, HP and other vendors surreptitiously added anti-counterfeiting features to their products without telling anyone and without ever seeing, as far as anyone knows, the source code involved, what might Microsoft have added in patches that doesn’t fix anything but actually adds what we shall call functionality? Should we be worried?

Worry No. 4: Today, I installed an e-mail indexing and search tool called X1. When I started X1 it immediately began indexing all of the 203,000 messages in my Outlook system, and when it finished a couple of hours later I could find any message, attachment, file or contact using complex selection criteria in less than 1 second. Awesome.

But, as X1 processed my e-mail it extracted attachments from messages that I had never opened for one reason or another. This caused Norton Anti-Virus to get hysterical again.

Even though Norton has always been running on my PC and scanning my e-mail, it seems these attachments slipped in under the radar. Of course had I ever launched the contents of one of these attachments and in so doing invoked a virus or worm, I’m certain that Norton would have caught it. But this wasn’t just a couple of hidden infected payloads, it was more than 300 – roughly 0.15% of my messages!

In a corporate network this would have interesting implications. If 1,000 users have archives of 1,000 messages each, that could be 15,000 hidden infections. Given that end-user anti-virus systems occasionally get turned off for whatever reason, you are guaranteed to see outbreaks of old viruses that will happen randomly forever. Are you worried now?

Tell me your worries at backspin@gibbs.com