Community-led efforts sometimes deliver security fixes before developers. Should you trust these solutions, or will they make your systems less secure?
As 2005 wound down, security professionals were worried. A major Microsoft Windows vulnerability had come to light that compromised computers if users did as little as visit a malicious Web site or view images with malicious code embedded. Attacks exploiting the flaw—a vulnerability in the handling of the Windows Meta File (WMF) format—had begun appearing by New Year’s Day.
Compared with the speed of events, Microsoft responded slowly. It presented a workaround that worked only in some cases and advised worried users to update their antivirus programs. Microsoft’s patch wasn’t available until it was fully tested, on January 6.
The episode was the most significant “zero-day” attack to date. So called because security professionals have no window (zero days) to respond to a vulnerability before an attack arrives, zero-day attacks have become a significant threat in the last few years. Though it’s understandable that Microsoft would release only a well-tested patch, this was cold comfort to security-conscious users wondering if the next image they viewed would be the one to compromise their systems.