Even though Microsoft has just delivered one of its largest batches of security patches ever - including one for a critical hole in Word - hackers and researchers have found three new (and as yet unpatched) holes involving Excel.
Two of the bugs permit attacks when you open a doctored Excel spreadsheet stored on a Web site or sent as an e-mail attachment. The first is clearly related to the way Excel handles memory, and could enable an attacker to take control of your PC. It hits Excel versions 2000 through 2003 for Windows, Excel 2004 and v. X for Mac (a Microsoft blog posting at http://blogs.technet.com/msrc/archive/2006/06/24/438657.aspx addresses the Excel issues).
According to Microsoft, the second problem, which can arise if you click a poisoned link in a spreadsheet, is caused by a deeper bug in the part of Windows that handles hyperlinking. At press time, the company had not said what versions of Windows are affected. A third flaw, recently reported to a hacker site, involves an attacker's use of an Office feature to embed a doctored Flash movie, for example, in an Excel spreadsheet or other Office document.
Microsoft says that fully patched Windows systems already incorporate a "kill bit" designed to protect against malicious add-ins of the third variety. But at least one attack has exploited the Excel memory-related bug noted earlier. And proof-of-concept code, which real-world attacks are based on, is already available for the second, hyperlinking vulnerability. So - as always - you should treat unexpected e-mail attachments with extreme caution, even if they appear to come from someone you know and trust.
Other critical holes closed
Microsoft's most recent group of 21 patches closed a Word hole from May that was the target of a zero-day attack, plus a host of other problems, including eight critical vulnerabilities. Any of the eight could allow "remote code execution," which is shorthand for letting an attacker exercise free rein over your PC. Windows Media Player, PowerPoint, Internet Explorer and other apps all got patched.
Microsoft distributed the patches via Windows Update. Run it manually from the Start menu if you've disabled Automatic Updates, or go here for direct download links and more information on the patches.
Microsoft has been distributing a small notification program via Automatic Updates that issues constant nagging reminders if Windows Genuine Advantage suspects you of running an unlicensed version of Windows.
Well, recent revelations that the app "phones home" to Microsoft and significant public outcry have prompted the company to post instructions for manually disabling and removing the program (you can't remove it via Add or Remove Programs).
Go to http://support.microsoft.com/kb/921914 to find out how.
Some users of the popular Apple music player have endured seemingly random failures. Apple's instructions for resetting shuffles work for some owners, but only if iTunes or the iPod Updater still recognises the shuffle. Frustrated users and owners of dead shuffles have tried to help one another on Apple's iPod support forums. Search the forums for "flashing green and orange lights" to find the appropriate thread.
Notebook drain fix
Remember the Windows XP SP2 notebook power bug that drains batteries extra quickly? Microsoft has quietly patched it. Go to http://support.microsoft.com/kb/918005 for more information.
Adieu to Win 98/Me
The hourglass has run out for Windows 98, Windows 98 Second Edition and Windows Millennium Edition. Microsoft no longer provides new security patches for those OSs.