A critical new vulnerability lingers in Internet Explorer, just as Microsoft tries to task users with helping build its malware database.

Details

Is it possible that Microsoft intends to get a leg up on Symantec and other competitors by co-opting users into serving as a free sampling network? The software giant, perhaps misjudging the mood of many IT security managers and other users sophisticated enough to identify and isolate a virus, has published e-mail addresses for users to submit samples of viruses, worms, and other malware.

You can send your viruses to avsubmit@submit.microsoft.com; submit your spyware samples to windefend@submit.microsoft.com. Microsoft would apparently like users to submit samples in a particular way, but I'll leave that for you to discover if you want to participate as an unpaid security consultant.

Of course, some of us feel that Microsoft might be better off fixing existing security issues in applications. A good place to start is Internet Explorer 6, which turned out to contain yet another critical new vulnerability.

Exploit code is already available to take advantage of the latest big hole in IE 6. The vulnerability, which exists even in fully patched IE 6 and Windows XP SP2 versions, can allow remote attackers to gain complete control over a vulnerable system. On March 24, Microsoft reported that it had received reports of attacks using this vector.

Microsoft has addressed the HTML Object flaw, which can corrupt memory, in Microsoft Security Advisory 917077 ("Vulnerability in the way HTML Objects Handle Unexpected Method Calls Could Allow Remote Code Execution"). It seems that the only users not at risk for this are those who are actually using the Microsoft Internet Explorer 7 Beta 2 Preview, released on March 20.

There are currently two Microsoft-approved workarounds for this vulnerability. However, both methods can adversely impact functionality.

Also this week, Secunia has reported that Sendmail versions prior to 8.13.5 harbor a critical vulnerability. The official designation for this new remote access threat is CVE-2006-0058. Sendmail.org recommends that users either apply the patch for version 8.13.5 and version 8.12.11, or upgrade to version 8.13.6.

Final word

As the tax deadline looms, I wanted to point out some useful tax tips that don't get much publicity. First, every year media organizations make a gigantic deal out of the rush to file before midnight on tax deadline day.

It's obvious why the IRS likes this publicity, and we all know that TV news is all about scaring people so they concentrate on unimportant things, but any tax professional knows that you don't have to file by this year's April 17 deadline. Just pay a good faith estimate of what you think you owe (if anything), and file a 4868 automatic extension form by April 17. Every year, millions of people drive themselves to a frantic state of exhaustion, skipping deductions they're entitled to, when all they need to do is sign and submit a simple one-page form.

Second, if you have an adjusted gross income less than $50,000, you can get free tax software from the IRS. And no, the IRS really won't cheat you.

Third, if you have somehow "forgotten" to file for the past few years, and you don't actually owe anything, you haven't broken the law. I've gotten into several fights over the years about this one, but it's true: Most people aren't really required to file a tax return—just to pay their taxes.

The consequences of this misconception are serious. If you didn't file but are due a refund because of excessive withholding, you only have until this year's April 17 deadline to file as far back as three years and get your refund.

Finally, I can't resist making one comment about Microsoft asking for users to help build its virus database—would that be like depending on unpaid beta testers to perform half of its development work?

Can't get enough of the IT Locksmith?

Don't miss John McCormick's TechRepublic blog! Bookmark it to get the security scoop on what didn't make the cut in this week's article.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.