I read in the news recently about how a new vulnerability was found in Windows that allowed web pages to infect computers without anyone doing anything other than going to them, regardless of web browser used or its security settings. The news article mentioned how the person who discovered it reported it to Microsoft, and when a week or so went by without a patch, published it to the world, presumably to force Microsoft into action. A few days later, this attack was spotted in the wild, infecting people's computers. This guy must be so proud.
Well, it really is as bad as all that. I did a Google Images search looking for a picture to include in Sunday's blog post, and then followed one of the links, and the resulting page loaded really slow and made my browser jerky so I closed it. This isn't entirely unusual: Flash apps can do that. But a few minutes later I was getting AV Security Suite warnings all over the place. I couldn't open any programs, even Task Manager or Explorer. I couldn't do anything without it telling me everything was installed. Very, very scary.
I was essentially limited to solving the problem using only what happened to be open at that moment. I was able to do a web search and found an article about the virus, though this article only mentioned the old methods of infection that required me to do something or use an insecure browser. That page also was pushing a pay spyware removal program (worse yet, the kind that doesn't tell you it's pay until you've installed it and wasted a half hour scanning before it'll tell you it won't fix the problem without paying). But I wasn't able to get to a copy of SpyBot to install it due to the virus blocking me, so I had to install and run the pay scanner just because it was on my screen and I was able to get to it already. It wouldn't remove the threat, but it did temporarily disable it long enough for me to download and install SpyBot.
It takes an age for the spyware programs to scan everything in the world before they're willing to try to fix anything, and the whole time, my computer's paralyzed. And this is a work computer, so it's pretty scary. But what's really scary is that I had no way to avoid this other than to stay off the Internet entirely. Just using a Google search and then going to one of the results pages was enough to get the infection. I never ran a program, I never clicked OK on anything, I never even saw a message. I only happen to know what page it was because I recognize (in hindsight) that the brief bogging-down of Firefox on that page was the virus installing itself, not some balky Flash app.
So Microsoft can burn in hell for having this vulnerability and not immediately fixing it. The guy who discovered it can burn in hell for being impatient about Microsoft fixing it and deciding to unleash it on the world, as if that would really prompt a fix faster than it would prompt people to misuse it. But most of all, the people who are using it to push scamware and malware can burn in hell twelve times over, because eleven times would be too good for them.