From the article…

“We are looking closely at the methodology and results of the test to ensure that Windows Live OneCare performs better in future tests,” the Microsoft spokesperson told us, “and, most importantly, as part of our ongoing work to continually enhance Windows Live OneCare to ensure the highest level of protection and service that we can provide our customers.”  

BetaNews also reported that McAfee’s VirusScan Enterprise 8.1 flunked the test.

The February testing was done on Windows Vista. Virus Bulletin is a respected virus test organization. The test agains in the wild viruses. Their test procedure is documented here. As for software that past the test, Beta news reported they were…

…both CA’s Home and eTrust (enterprise) products, Fortinet’s FortiClient, F-Secure Anti-Virus, Kaspersky Anti-Virus 6.0 (which was added to the ZoneAlarm suite last November), Sophos Anti-Virus 6.5, and Symantec AntiVirus 10.2

Norton and McAfee are constantly prompting us to check our security settings, update our subscriptions, and/or buy more products. Given that most new PCs ship with one of these two packages preinstalled–and their subscriptions typically expire after 90 days–it’s almost certain they’ll nag you too. We have enough problems with our machines’ security without also having to worry about our security software.

I’d say I have to agree whole heartily, at least on the Symantec side. I’ve removed the trial Symantec software numerous times (and replaced it with something else) to improve the performance of the PC. My exposure to McAfee is less, although none of those experiences were good.

Windows Update also made the list at number 9. Mainly for it’s use to distribute Windows Genuine Advantage.

PC World added some of there own to the list and it included Plaxo. This is a address book update service that spammed everyone in their member’s address book whenever they changed any info. The recipients could avoid the spam by signing up for the service. Ok, I agree they didn’t actually violate any laws but sure sounds like extortion on the surface. They stopped the practice in 2006.

They also address six other vulnerabilities in the Graphics Rendering Engine (GDI), although none are rated critical.

They make a note of an known issue with the Realtek HD Audio Control Panel (Rthdcpl.exe) on Windows XP SP2 which is documented here.

The Microsoft bulletin for “home users” is here.

The Microsoft bulletin fot “technical users” is here.

As usual, the patch will be in Windows update.

The only real protection from this vulnerability would be for Microsoft to release a patch. The next “patch Tuesday” is April 10th. [Updated 4/2: Microsoft has said they will release a patch on Tuesday 4/3]

There’s also a significant impact within e-mail. The microsoft security bulliten mentions e-mail as a method to exploit the vulnerabilty.

What might an attacker use this function to do?
An attacker could try to exploit the vulnerability by creating a specially crafted web page. An attacker could also create a specially-crafted email message and send it to an affected system. Upon viewing a web page, previewing or reading a specially crafted message, or opening a specially crafted email attachment the attacker could cause the affected system to execute code. While animated cursors typically are associated with the .ani file extension, a successful attack is not constrained by this file type.

Even previewing the mail message in an preview pane could infect the machine. (See below for exceptions to this)

Microsofts recommendation for e-mail is: 

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. 

• Read e-mail messages in plain text format if you are using Outlook 2002 or a later version, or Windows Mail to help protect yourself from the HTML e-mail preview attack vector. Microsoft Outlook 2002 users who have applied Office XP Service Pack 1 or a later version can enable this setting and view e-mail messages that are not digitally signed or e-mail messages that are not encrypted in plain text only.

Caveat: Reading e-mail in plain text on Windows Vista Mail does not mitigate attempts to exploit the vulnerability when Forwarding and Replying to mail sent by an attacker.

Note: Reading e-mail in plain text on Outlook Express does not mitigate attempts to exploit this vulnerability. Impact of Workaround: E-mail messages that are viewed in plain text format will not contain pictures, specialized fonts, animations, or other rich content. Additionally:

• The changes are applied to the preview pane and to open messages.

• Pictures become attachments so that they are not lost.

• Because the message is still in Rich Text or HTML format in the store, the object model (custom code solutions) may behave unexpectedly.

Microsoft makes the usual recommendations of not reading e-mail from a source you don’t know. But addresses can be spoofed or faked so any vulnerabity like this (where just viewing the message could infect the pc is a problem). Turnng off the preview pane will prevent accidents. There’s really isn’t any protection until Microsoft releases a patch.

Here’s a video of what happens when the vulnerability is used for a DoS attack on a PC (video via UneasySilence):