Another place where "Default Permit" crops up is in how we typically approach code execution on our systems. The default is to permit anything on your machine to execute if you click on it, unless its execution is denied by something like an antivirus program or a spyware blocker. If you think about that for a few seconds, you'll realize what a dumb idea that is. On my computer here I run about 15 different applications on a regular basis. There are probably another 20 or 30 installed that I use every couple of months or so. I still don't understand why operating systems are so dumb that they let any old virus or piece of spyware execute without even asking me. That's "Default Permit."

SAN FRANCISCO — Google said on Friday that for more than three years it had inadvertently collected snippets of private information that people send over unencrypted wireless networks.

he admission, made in an official blog post by Alan Eustace, Google’s engineering chief, comes a month after regulators in Europe started asking the search giant pointed questions about Street View, the layer of real-world photographs accessible from Google Maps. Regulators wanted to know what data Google collected as its camera-laden cars methodically trolled through neighborhoods, and what Google did with that data.

Google’s Street View misstep adds to the widespread anxiety about privacy in the digital age and the apparent willingness of Silicon Valley engineers to collect people’s private data without permission.

The airline's central computer which registered technical problems on planes was infected by Trojans at the time of the fatal crash and this resulted in a failure to raise an alarm over multiple problems with the plane, according to Spanish daily El Pais (report here). The plane took off with flaps and slats retracted, something that should in any case have been picked up by the pilots during pre-flight checks or triggered an internal warning on the plane. Neither happened, with tragic consequences, according to a report by independent crash investigators.

We received some e-mails about active exploitation of this vulnerability in the wild. While there are potentially hundreds, if not thousands of applications that are vulnerable, it appears that the attackers so far are exploiting uTorrent, Microsoft Office and Windows Mail, which are, coincidentally or not, applications for which Proof of Concept exploits have been published. Remember, it is extremely easy to exploit this and it doesn't require any advanced knowledge so be sure to check Microsoft's recommendation above or be very careful about files you open from network shares.

Waiting for a list of programs which are or are not vulnerable is
not a good way to approach this problem. The assumption should be
that any given executable is vulnerable. Don't even bother trying to
identify executables which call SetDllDirectory; there's still the
question of whether it is called correctly or consistently.

The default behavior of the system is broken. We cannot expect any
programmers to actually implement the obscure feature which changes
the default behavior. Expecting vendors to do so is not realistic. A
huge number of Microsoft's own executables do not implement the
setting and attempt to load optional DLLs. If Microsoft can't get
their own code to do it, expecting others to do so is unrealistic.
Assume everything is vulnerable.

My suggestion would be: Deploy the update in MSKB 2264107.
Configure CWDIllegalInDllSearch to remove the current directory from
the search path by default system-wide. Identify any programs which
stop working and make executable-specific exceptions to
CWDIllegalInDllSearch for them. Contact vendors of those applications
for updates (good luck with that!).

Ideally, use Software Restriction Policies/AppLocker to limit
loading of DLLs from trusted locations only.