A critical new vulnerability lingers in Internet Explorer,
just as Microsoft tries to task users with helping build its malware database.


Is it possible that Microsoft intends to get a leg up on
Symantec and other competitors by co-opting users into serving as a free
sampling network? The software giant, perhaps misjudging the mood of many IT
security managers and other users sophisticated enough to identify and isolate
a virus, has published e-mail addresses for users to submit samples of viruses,
worms, and other malware.

You can send your viruses to avsubmit@submit.microsoft.com; submit
your spyware samples to windefend@submit.microsoft.com.
Microsoft would apparently like users to submit samples in a particular way,
but I’ll leave that for you to discover if you want to participate as an unpaid
security consultant.

Of course, some of us feel that Microsoft might be better off
fixing existing security issues in applications. A good place to start is
Internet Explorer 6, which turned out to contain yet another critical new

Exploit code is
already available
to take advantage of the latest big hole in IE 6. The
vulnerability, which exists even in fully patched IE 6 and Windows XP SP2
versions, can allow remote attackers to gain complete control over a vulnerable
system. On March 24, Microsoft reported that it had received reports of attacks
using this vector.

Microsoft has addressed the HTML Object flaw, which can
corrupt memory, in Microsoft
Security Advisory 917077
(“Vulnerability in the way HTML Objects
Handle Unexpected Method Calls Could Allow Remote Code Execution”). It seems
that the only users not at risk for
this are those who are actually using the Microsoft Internet
Explorer 7 Beta 2 Preview
, released on March 20.

There are currently two Microsoft-approved workarounds for
this vulnerability. However, both methods can adversely impact functionality.

Also this week, Secunia has reported that Sendmail versions
prior to 8.13.5 harbor a critical
. The official designation for this new remote access threat
is CVE-2006-0058. Sendmail.org recommends that users either
apply the patch for
version 8.13.5
and version
, or upgrade to version 8.13.6.

Final word

As the tax deadline looms, I wanted to point out some useful
tax tips that don’t get much publicity. First, every year media organizations
make a gigantic deal out of the rush to file before midnight on tax deadline

It’s obvious why the IRS likes this publicity, and we all
know that TV news is all about scaring people so they concentrate on
unimportant things, but any tax professional knows that you don’t have to file
by this year’s April 17 deadline. Just pay a good faith estimate of what you
think you owe (if anything), and file a 4868 automatic extension form
by April 17. Every year, millions of people drive themselves to a frantic state
of exhaustion, skipping deductions they’re entitled to, when all they need to
do is sign and submit a simple one-page form.

Second, if you have an adjusted gross income less than $50,000,
you can get free tax software from the IRS. And no,
the IRS really won’t cheat you.

Third, if you have somehow “forgotten” to file for
the past few years, and you don’t actually owe anything, you haven’t broken the
law. I’ve gotten into several fights over the years about this one, but it’s
true: Most people aren’t really required to file a tax return—just to pay their

The consequences of this misconception are serious. If you didn’t
file but are due a refund because of excessive withholding, you only have until
this year’s April 17 deadline to file as far back as three years and get your

Finally, I can’t resist making one comment about Microsoft
asking for users to help build its virus database—would that be like depending
on unpaid beta testers to perform half of its development work?

Can’t get enough of the IT Locksmith?

Don’t miss John McCormick’s
TechRepublic blog
! Bookmark it to get the security scoop on what didn’t
make the cut in this week’s article.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.