On Fri, 22 Sep 2006, Paul Vixie wrote:
For assistance with Microsoft security issues in the US, call (866) PC-SAFETY
last but not least, according to http://isotf.org/zert/ there is a non-MSFT patch for the VML thing. i don't expect ISP's to recommend its use, due to liability reasons, but mentioning it or even proactively notifying about it might be a way to get people off the phone (or keep them from calling in).
The largest residential ISPs, covering about 80% of the residential users of the Internet, also have an additional resource called GIAIS. GIAIS is a Microsoft supported group which gives ISP Operations, including help desks, a direct communications path with Microsoft. Microsoft makes the same PC-SAFETY Help Desk information it uses internally to GIAIS member ISP Help Desks so customers gets consistent answers whoever the customer calls. http://www.microsoft.com/serviceproviders/resources/securitygiais.mspx But more importantly GIAIS also provides a mechanism for ISPs to keep Microsoft up to date on the real-world situation. How many customers are being impacted, how many customers are calling ISP help desks with a particular security incidents, etc. By exchanging hard data through the GIAIS program, if necessary with appropriate non-disclosure agreements in place, ISPs can help Microsoft decide when to release accelerated patches or improved work-arounds until a patch is available. Unfortunately, Internet blogs and mailing lists are sometimes dominated by a few personalities that may be well-meaning, don't always have a good handle on relevant measurement data. Although computer professionals may understand the nuances, its probably better to keep the general message as simple as possible. For example, don't eat fresh spinach products. Its difficult enough to get residential users to patch their computers at all, let alone to evaluate third-party patches or phishers distributing fake patches. The simple message: For unmanaged Microsoft Windows computers, i.e. most home computers, turn on Automatic Windows Update. When this patch is available, your computer will get the patch directly from Microsoft; as well as future patches. Computer professionals should also review the relevant Microsoft security advisories and may evaluate whether third-party solutions are appropriate for their computer environment.