Naked Security reader Thu Win commented on my recent Patch Tuesday article to remind me that Micrososft, sorry, Microsoft, blundered into spell-check shock territory during the latest batch of updates.
There’s quite a bit of online laughter at the mistake, in which the software giant mis-spelled its own domain name in one of the update notifications presented by Windows Update:
I’m guessing that most users don’t bother to research the details behind every Windows Update announcement, so many of you may have applied this update without even noticing the glitch. Sadly for Micrososft, sorry, Microsoft, this one is going to be easy to find online for weeks, thanks to the embarrassingly definitive search term!
(This reminds me wryly of the 1990s Word macro virus, WM/Wazzu. This once-rampant virus randomly added the word “Wazzu” – the nickname for Washington State University – into documents as it spread. In a pre-Google-era form of Google Hacking, you could quickly find out which companies were lax at security simply by searching the web for officially-published corporate documents which contained this otherwise-unlikely word.)
But there’s a serious side to this Microsoft glitch: what about the well-informed users who clicked on the link? It’s not as though it arrived in an email, solicited or otherwise. It was presented by Windows itself, in an official dialog.
Fortunately – at least when I checked – the micrososft.com domain redirects to a domain parking site. (These are websites which collect click-through revenue – possibly only small amounts, but with near-zero effort – using elementary search and redirection facilities. They often aim to find prospective buyers for potentially-interesting domain names.)
It could have been much worse. If the “typosquat” domain name micrososft.com had belonged to cybercrooks, they would have enjoyed an endorsed-by-Microsoft opportunity to foist the malevolent code of their choice on trusting users.
Word is that Microsoft quickly altered the offending link, which now takes you where it should have all along.
Two pieces of advice:
* Look before you leap. If you can, double-check every link before you click it, even if it’s an official link from a well-known brand. If in any doubt, leave it out.
* Proofread everything. That especially includes messages delivered by your software. Don’t rely merely on a spell-check, which can’t easily tell if a web link is correct, since many domain names aren’t real words.
Thanks to Thu Win, who in turn passes on his thanks to the folks on #wikipedia-en and #freenode.