Critical IE graphics flaw resurfaces

It's bad enough when crooks exploit bugs to ruin a home computer, but the consequences of a successful attack can be much worse. A substitute teacher in Norwich, Connecticut, found that out when a computer she was using in her classroom suddenly started showing pornographic pop-up ads to everyone in the class. She now faces up to 40 years in prison after being convicted of willfully showing her students the images. A security expert hired by her defense, however, says he found malicious software on the PC.

As you certainly know, Internet attacks often attempt to install porn-popping adware by exploiting the more dangerous types of bugs.

Last October I told you about one such problem in Internet Explorer involving Vector Markup Language, a rarely used, Microsoft-only Internet graphics format. Criminals launched multiple attacks exploiting the hole before Microsoft released a patch. And now, a second, very similar VML flaw is under fire.

Like its predecessor, this bug allows an attacker to take control of -- or download porn-popping adware to -- a PC running Windows XP Service Pack 2 or Windows 2000 SP 4 if the victim simply views a poisoned image within IE. Both IE 6 and 7 are affected, but IE 7 in Windows Vista is not.

You can obtain the patch through Automatic Updates, or you can download it from www.microsoft.com/technet/security/Bulletin/MS07-004.mspx

Office fixes

Microsoft also patched critical security holes in Excel and in Outlook (Outlook Express is not affected). Both vulnerabilities are rated "critical" for the Office 2000 versions of the programs, but are downgraded to "important" (the second-highest severity rating on Microsoft's scale) for Office XP and 2003. The Excel holes are present in Works Suite 2004 and 2005, too. As usual, either flaw can be exploited if you open a tainted file (.oss for Outlook or .xls for Excel) as an attachment or Web download.

Again, if you have Automatic Updates turned on, you should be protected. If not, get the Excel patches , and grab the Outlook patch , from Microsoft. At press time no attacks against these holes were yet circulating.


In Brief

Adobe PDF bug eases way for thieves

Adobe has patched a new problem with cross-site scripting (or XSS) in its Acrobat and Reader browser plug-ins that, according to security researchers, gave criminals an incredibly simple way to enter your system. Adobe says attackers could exploit the flaw through one easy-to-add line of programming in a doctored PDF and thereby take control of a computer.

Any browser that has the plug-in loaded is affected, so users of Firefox and Opera are as much at risk as IE users. Versions 7.0.8 and earlier of Acrobat and Reader are vulnerable. Adobe recommends upgrading to Acrobat 8 or, if that isn't possible, to 7.0.9 (6.0.6 for users who are limited to older editions). Get all the updates and more details from the Adobe Security Bulletin .

Early Vista bug

Windows Vista may be much more secure than previous versions of Windows, but don't let your guard down just yet. Microsoft has acknowledged a privilege-escalation bug that affects XP and Vista alike. The problem, though not nearly as dangerous as many XP bugs, could allow an attacker to make system changes that Vista's User Account Control feature would otherwise block. Microsoft hasn't provided a planned fix date. For more information, see the Microsoft Security Response Center Blog .

QuickTime flaw

Apple has patched another critical hole in its popular media software that affects both the Mac OS X and Windows (XP and 2000) versions. First revealed by the "Month of Apple Bugs" online project, the flaw enables attacks that use poisoned links starting with "rstp://" to take over your PC. Grab the patch at the Apple Downloads page.


Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?