Microsoft Has No Plans To Patch New Flaw

Trailrunner7 writes "Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."

Colatteral Damage?

[LostCluster]

What was the main use for the Realtek Semi certificate that's being revoked? I would hate to see a bunch of SmoothWall/Untangle implementations shut down by having their network drivers revoked....

Re:Who fault is it?

[KlomDark]

The "autorun" functionality is both a blessing and a curse, and has been for quite some time. It is not the direct point, although I agree the headline sure tries to make it seem like that's the issue.

Autorun can be, and has been, bitterly debated for a long long time. As an experienced geek, I myself find it quite moronic. However, they also have to support the run-of-the-mill crowd, the non-technical types, where autorun makes sense in a lot of scenarios, as well as the issues that come with it.

However, in this case, they took ample time to complete their "due diligence" and the "requiring signed drivers" solution is a very reasonable way of mitigating the risks.

If autorun was REQUIRED to install virii, works, bad drivers, etc, then I'd be 100% opposed to it. But they've done the best they can, and probably the best anyone's going to come up with to fully minimizing the risk by requiring signed drivers. But there's many other ways to get a clueless user to do one of many things that could have the same effect. If there's a will, there's a way.

But, I guess you'd like to throw the baby out with the bathwater entirely, and just get rid of autorun forever. While that's a clear logical choice to a heads-down geek, in the real world it's an acceptable risk to make driver installation painless for the vast jungle of technomorons out there who just want to plug some shiny toy into their computer and it just works. [And that's unfortunately the lions share of people who by shiny gadgets to plug into their computer.]

...and once again, smart to stick with XP

[jbeach]

It's almost like most large corporations resisting unneeded upgrades knew what they were doing.

Seriously. Wtf. At this point I don't know if I will ever buy another post-XP windows OS again. Even after the 2012 Mayan/Martian apocalypse. WIndows 7 probably has a Mayan Calendar problem.

Re:Possible mitigation?

[hairyfeet]

Notice how ALL he can do is follow me around and waste mod points? Notice how he has NO answer? C'mon, you think Linux is a magic bullet, a cure to the world's ills, let's hear it then. How ARE you gonna pay for the hundreds of millions of workers to be retrained? How ARE you gonna come up with the millions of specialized apps that FLOSS developers have NO experience with, many of which are covered by software patents? How ARE you gonna deal with those tons of super expensive specialized pieces of hardware with NO documentation, no FLOSS drivers, and no chance in hell of a FLOSS developer ever being able to afford to buy, much less have running, just to write a driver for...hmmm?

THIS is the problem with magic bullet thinking. It is a lie, a belief that "If only Linux was here, all would be hearts and flowers!" when in reality there is a GOOD reason why the majority of businesses don't switch. Do you think they LIKE buying Windows CALs? They enjoy spending money which could be spent on other things or kept as increased profits?

I would say a lot of the reason Linux won't succeed as a desktop is this right here. Instead of accepting the myriad of problems and looking for solutions advocates instead cling to magical thinking that it is MSFT, or a conspiracy, or the OEMs keeping them down, when it is their own failures doing that. Look at the Dell Ubuntu machines sometime, look at the repos. Notice something? Notice how even Dell, a Canonical OEM partner, can't use the Canonical repos? Why? Because Canonical has such shitty QA (which nobody calls them out on) that if you update from the normal repos it will break half the hardware drivers on the machine. But nope, magical thinking will save the day! I'm sure with (insert next distro number) it will all go away and be perfect...right?