No plans to patch flaw right now, as in some OOB patch knuckehead

The ATI video card I have fails hard on XP64, so I got a driver some random guy that has nothing to do with ATI made instead, and it works great. If I were stuck using only drivers that were ATI-approved, I'd be majorly SoL.

I'm all for having the hardware verify that the driver actually is a valid driver for the hardware in question, just make sure that's ALL it does, or we'll lose the ability to use someone's hack to force a piece of hardware to work.

To be fair the summary states

Which is in the 2nd link actually.

Well, from that quote to the summary, there is quite a stretch, but what did you expect ?

Did you even read the summary? Realtek's signing keys were stolen. That's why Verisign revoked them. Putting the verification keys in hardware wouldn't fix this issue.

Yes, don't trust anything unless you absolutely have to. In user land, for example, we have SELinux and Apparmor to prevent applications from accessing things they shouldn't; protecting the kernel is obviously harder.

Generally speaking, Linux drivers are only installed if signed by the distro repository, and you have to trust that key: if it's compromised you're toast. Windows has three bazillion drivers signed by three bazillion keys and only one needs to be compromised.

Nor will Linux drivers be loaded automatically from a random USB key just because you browsed there.

The flaw that isn't going to be fixed "in the near future" is the "if a shortcut's icon is shown in Windows Explorer, then automatic execution of malicious code may occur" (perhap's this is some sort of buffer overflow in the icon parameter reader?). The best workaround? Disable the display of icons for shortcuts. Attack vectors? WebDAV, USB sticks, and LAN shares mostly. To that end, I'd imagine Microsoft is directly at risk given they likely have multiple rather huge LAN and it's already been demonstrated that at least some hackers are specifically targeting organizations (RealTek, for one). How much do you think Microsoft's source code is worth?

But to blame this one of Microsoft is assinine, how were they supposed to do anything different?

Do you have any familiarity whatsoever with this situation?

Windows has an acknowledged flaw/vunlerability related to its handling of .lnk files (shortcuts). That flaw is being exploited to install this malicious driver. The problem has been greatly compounded by the fact that the driver is signed by a previously-trusted private key, but this is not the original flaw. Normally the act of merely plugging in a USB thumbdrive does not immediately install system software such as device drivers. It is that acknowledged .lnk flaw that makes this possible.

If you can install a hardware driver with an exploit, you can also install a worm, rootkit, etc. This attack happens to install a device driver. If Realtek's private key had never been compromised, then instead of installing a malicious device driver, you'd have Windows users plugging in infected USB thumbdrives and immediately becoming members of botnets. The flaw is in the Windows system and its handling of shortcut files.

It is that flaw and only that flaw for which Microsoft is being blamed.

I suppose Microsoft could release a Windows update that revokes trust for any cert signed by VeriSign

Why would they do that when Verisign can revoke only this specific Realtek cert? In fact that's exactly what they have done.

Seriously. Did you even bother to read the summary? At all? I'll quote it for you. This is the summary, verbatim:

"Microsoft has acknowledged the vulnerability that the new malware Stuxnet uses to launch itself with .lnk files, but said it has no plans to patch the flaw right now. The company said the flaw affects most current versions of Windows, including Vista, Server 2008 and Windows 7 32- and 64-bit. Meanwhile, the digital certificate that belonging to Realtek Semiconductor that was used to sign a pair of drivers for the new Stuxnet rootkit has been revoked by VeriSign. The certificate was revoked Friday, several days after news broke about the existence of the new malware and the troubling existence of the signed drivers."

Emphasis is mine. Now go clean the egg off your face.

The certificate was revoked.

Does it mean I need to update my drivers from Realtek, otherwise it spits them out?

No. Windows' security model only checks the certificate during install.

And even so, it doesn't update the revocation list automatically on install, nor does it check with OCSP; you won't get the revocation certificate unless you specifically install "Root certificate updates" through Microsoft Update, which is usually is found on the "optional" installs. So chances are that a lot of people will be able to install this malware in the future too.

Please see this post [slashdot.org] where I correct a similar false notion. Then, please berate your teachers for failing to transmit basic reading comprehension skills to you. Hint: the signed malicious device driver is incidental and is not the flaw that Microsoft may or may not patch.

Sorry for the tone but I just don't see what part of this is difficult to understand.

64-bit versions of Vista and Windows 7 require a valid Class 3 code signing certificate to load the driver, not just on installation. Revoking that certificate will stop the devices from working, as the parent poster suspected. Though it may not be the same certificate for all Realtek uses.

Defragment the hard drive (wich shouldn't be neccesary at all)

drsmithy has always shown wilful ignorance of Microsoft's flaws.

As far as what's lacking from Microsoft's security model, managed software repositories and good updating systems are the most obvious lacks.

In addition, Microsoft's need to leverage it's existing software stack means anyone who actually uses Windows instead of just ticking off feature lists will inevitably have to bypass or disable most of the recent security features. With the virtualisation tech they've bought, they had the opportunity to build an effective sandbox, but chose not to.