Professor Michael Froomkin of the University of Miami School of Law is one of my favorite bloggers. His insights on civil rights and legal issues are always worth reading. However, when the good professor strays into territory where he’s not an expert, things sometimes go a little wrong. Witness this post from today: Fix a Microsoft Vulnerability
If you read the blog entry in question, it sounds alarming. Unfortunately, the third-party security advisory that Prof. Froomkin references was from February 2002. It has long since been corrected. Any Windows user who is up to date with security patches – a procedure that is required with ALL operating systems, including the Mac OS and all variants of Linux – is protected from this.
It’s also one of the least problematic security issues I know. An attacker who successfully exploited this issue on an unpatched machine could not plant a program on your computer or execute a program from another location. He could only run an existing program on your PC, and then only if he knows the exact location of that program on your PC. It was an interesting proof of concept but it required a lot more work before it could be used for a hostile action.
And in fact, the system worked. GreyMagic published this security advisory in February 2002. On March 28, 2002, Microsoft published Security Bulletin MS02-015, which publicly addressed the problem. A fix was included in an accompanying Internet Explorer Security Update. This fix is included in Windows XP with Service Pack 1 or later.
I promise to chat with Professor Froomkin before I write about complex legal issues here. In exchange, I offer my technical expertise on Windows and Windows security advisories to my favorite law professor the next time he thinks about wrinting another Windows-related post.
Update: Professor Froomkin, in the comments below, notes that he was misled by a false report from Spybot S&D. This is indeed an error in Spybot, as I note in a follow-up post to this one. Click here for details about the phony “DSO exploit” error in Spybot S&D 1.3. Oh, and I meant what I said about his blog, Discourse.net. His work is just excellent, and it’s on my list of essential blogs to follow.