As its name implies, the Windows HTML Help system is designed to help PC users by providing graphics, multimedia elements, and hyperlinks to additional information. But it turns out that attackers can use this system to help themselves to your files, and even to take control of your PC.
Two newly discovered security holes affect the HTML Help system and the Task Scheduler in Windows XP and 2000. The Help security bug also affects earlier versions of Windows, including 98, 98 SE, and Me.
Unfortunately, Microsoft has not yet finished developing patches for the older Windows versions and can't say when they'll be ready. When they are, the company says, users will be able to get the patches through Windows Update. One minor blessing: The older versions of the Windows operating system aren't susceptible to the Task Scheduler bug. (Task Scheduler allows users to set the times when specific jobs, such as system maintenance programs, will run.)
Before a malevolent cracker could exploit either security flaw, you would have to visit a Web site that hosted a malicious link, or click a link in an HTML e-mail that took you to the attacker's site. Like many security flaws in Microsoft products, these holes could be exploited by sending the system faulty or excessive information, causing the machine to malfunction. Then the attacker would transmit a program of his or her own to take control of your PC.
Microsoft designated the holes as "critical" because a cracker's successful assault could result in the complete takeover of your machine: The evildoer would then have free rein to steal your personal files or even to wipe out the contents of your hard disk.
Microsoft has now released patches for both flaws in Windows XP and 2000. If you use XP, I recommend getting Service Pack 2. Though the company hasn't yet posted patches for Windows 98 and Me systems, it has provided workarounds for both bugs.