I bet you never thought the album art that Windows Media Player (WMP) shows while playing your favourite music could be the key to letting an attacker trash your computer. Or that downloading a new "skin" to change WMP's looks could open the door to your PC. But due to a problem with the way the player handles bitmapped images (.bmp files), that's just what might happen.

An attacker could use this hole to bypass your system's security and do anything from planting spyware to reformatting your hard disk for the heck of it. Aside from viewing poisoned photos of your favourite artists or downloading music or a new skin from a questionable site, you can also be infected in more traditional ways, such as via booby-trapped links on a Web site or an HTML e-mail.

The bitmap image format is one of the most common. Unfortunately, the part of WMP that handles the display of bitmaps has a flaw that permits a malicious cracker to send you a file that literally drowns it with data. WMP then crashes, passing control of your PC over to whatever commands or programs your attacker has queued to hit next.

Microsoft has distributed a patch to address this critical problem via Windows Update; you can also download it from All versions of WMP from 7.01 through 10 are at risk (but not earlier versions).

Don't delay in patching: at least two sites have already published code that takes advantage of this WMP hole, and it won't take a lot of effort to turn that code into a prefab component for use in a dangerous worm or virus.

Java Holes

Meanwhile, Sun is dealing with its own security problems in its Java Runtime Environment (JRE), the so-called virtual machine that allows you to run Java programs. You most commonly get JRE as a plug-in so your browser can run Java applets.

A number of flaws could potentially let a cyberthug execute whatever code they want just by tricking you into clicking on a malicious link.

To check your JRE version, click Start-Run, type cmd and click OK. At the DOS prompt, type java -fullversion and press <Enter>. You're safe if you have J2SE (Java 2 Standard Edition) 5.0 Update 6 (which shows as 1.5.0_06) or J2SE 1.4.2_11 - both already contain the updated JREs. If you don't, go to or the Cover Disc of the August 2006 edition of PC World Magazine for the latest patched version.

Bug drains laptops

If you ponied up for a pricey new laptop using one of Intel's Core Duo (dual-core) mobile processors, you may not be getting all the battery life you paid for. The culprit is Microsoft's new USB 2.0 Advanced Configuration and Power Interface driver, which was introduced with Windows XP SP2. Ironically, ACPI is meant to help conserve power. But with this bug, using any built-in or external USB 2.0 device can lead to extra battery drain. Microsoft released a partial workaround to PC makers last July, but it's deemed too complicated and risky for public release. Until there's a patch, save battery life by unplugging USB devices from your notebook when running on the battery.

Mozilla Woes

Researchers recently identified eight security holes in Mozilla's Firefox 1.5 browser and in pre-1.0 versions of Mozilla's SeaMonkey browser and e-mail suite, affecting Windows, Linux and Mac users alike. Earlier Firefox versions are not affected. The worst of these flaws could result in an attacker taking over your system, but Firefox and later or SeaMonkey 1.0 and later are safe. You should receive the Firefox updates automatically if you have at least version 1.5. Otherwise, get the latest Firefox and the updated SeaMonkey from the Cover Disc of the August 2006 edition of PC World Magazine or and

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Cate Bacon

Aruba Instant On AP11D

The strength of the Aruba Instant On AP11D is that the design and feature set support the modern, flexible, and mobile way of working.

Dr Prabigya Shiwakoti

Aruba Instant On AP11D

Aruba backs the AP11D up with a two-year warranty and 24/7 phone support.

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?