I bet you never thought the album art that Windows Media Player (WMP) shows while playing your favourite music could be the key to letting an attacker trash your computer. Or that downloading a new "skin" to change WMP's looks could open the door to your PC. But due to a problem with the way the player handles bitmapped images (.bmp files), that's just what might happen.
An attacker could use this hole to bypass your system's security and do anything from planting spyware to reformatting your hard disk for the heck of it. Aside from viewing poisoned photos of your favourite artists or downloading music or a new skin from a questionable site, you can also be infected in more traditional ways, such as via booby-trapped links on a Web site or an HTML e-mail.
The bitmap image format is one of the most common. Unfortunately, the part of WMP that handles the display of bitmaps has a flaw that permits a malicious cracker to send you a file that literally drowns it with data. WMP then crashes, passing control of your PC over to whatever commands or programs your attacker has queued to hit next.
Microsoft has distributed a patch to address this critical problem via Windows Update; you can also download it from www.microsoft.com/technet/security/Bulletin/MS06-005.mspx. All versions of WMP from 7.01 through 10 are at risk (but not earlier versions).
Don't delay in patching: at least two sites have already published code that takes advantage of this WMP hole, and it won't take a lot of effort to turn that code into a prefab component for use in a dangerous worm or virus.
Java Holes
Meanwhile, Sun is dealing with its own security problems in its Java Runtime Environment (JRE), the so-called virtual machine that allows you to run Java programs. You most commonly get JRE as a plug-in so your browser can run Java applets.
A number of flaws could potentially let a cyberthug execute whatever code they want just by tricking you into clicking on a malicious link.
To check your JRE version, click Start-Run, type cmd and click OK. At the DOS prompt, type java -fullversion and press <Enter>. You're safe if you have J2SE (Java 2 Standard Edition) 5.0 Update 6 (which shows as 1.5.0_06) or J2SE 1.4.2_11 - both already contain the updated JREs. If you don't, go to http://java.com or the Cover Disc of the August 2006 edition of PC World Magazine for the latest patched version.
Bug drains laptops
If you ponied up for a pricey new laptop using one of Intel's Core Duo (dual-core) mobile processors, you may not be getting all the battery life you paid for. The culprit is Microsoft's new USB 2.0 Advanced Configuration and Power Interface driver, which was introduced with Windows XP SP2. Ironically, ACPI is meant to help conserve power. But with this bug, using any built-in or external USB 2.0 device can lead to extra battery drain. Microsoft released a partial workaround to PC makers last July, but it's deemed too complicated and risky for public release. Until there's a patch, save battery life by unplugging USB devices from your notebook when running on the battery.
Mozilla Woes
Researchers recently identified eight security holes in Mozilla's Firefox 1.5 browser and in pre-1.0 versions of Mozilla's SeaMonkey browser and e-mail suite, affecting Windows, Linux and Mac users alike. Earlier Firefox versions are not affected. The worst of these flaws could result in an attacker taking over your system, but Firefox 1.5.0.1 and later or SeaMonkey 1.0 and later are safe. You should receive the Firefox updates automatically if you have at least version 1.5. Otherwise, get the latest Firefox and the updated SeaMonkey from the Cover Disc of the August 2006 edition of PC World Magazine or www.mozilla.com/firefox/ and www.mozilla.org/projects/seamonkey/.
