The hole story

Attackers have been using increasingly novel means to break into Windows systems - for example, using doctored media files like music, Web graphics and video. Now joining that roster of dirty tricks are booby-trapped text fonts embedded in Web pages.

The bug sleuths at eEye Digital Security found a way to breach Windows' security by exploiting a flaw in how the OS displays text on Web sites. Web designers often use embedded fonts to guarantee that the text on a page will look the same in every browser.

All a cyberthug has to do is create a corrupted font on a Web site and wait for unsuspecting visitors. When you view the affected font in Internet Explorer - or in any application that uses Windows to show the fonts in question - the doctored text triggers a buffer overflow, disabling your PC's security and allowing the thug to then take control of your computer. Reading or even just previewing an affected HTML e-mail message in Outlook or Outlook Express can launch the attack too.

This flaw affects all versions of Windows, from Windows 98 through XP Service Pack 2, which means the majority of people online are potentially at risk. Microsoft has distributed the patch via Windows Update. You can also get it at find.pcworld.com/51564.

The discovery follows a recent rash of attacks that exploited holes in the way Windows displays certain types of images embedded in Web pages. Smart crackers figured out how to use what are called Windows Metafile (WMF) images to disable a PC's security.

More than ever, it pays to be careful what you click. These new vulnerabilities are especially troubling because you can compromise your system just by looking at a poisoned e-mail message or Web page.

Block outlook hole

A separate vulnerability affecting Outlook 2000, XP, or 2003 users may give a hacker control of your machine as well. Again, you simply have to open or preview a doctored e-mail to be compromised. Outlook's mishandling of a file format called Transport Neutral Encapsulation, or TNEF, is to blame. The problem is "critical" in Microsoft's eyes because the application uses TNEF when it sends or receives e-mail in the commonly used Rich Text Format.

As before, you can run Windows Update to get this patch; you can also download it at find.pcworld.com/51565.

Symantec AV Bug

Symantec has released patches to fix a hole in the way its antivirus software library handles certain compressed files.

If a hacker hides a booby trap inside a file or e-mail attachment ending with .rar, the library unwittingly launches the attack when it scans the file, running any command the hacker wants. Most of Symantec's products use the affected library.

To plug this hole, manually run Symantec LiveUpdate (by clicking LiveUpdate in the toolbar) to make sure you have the necessary patch. Repeat, if necessary, until you have all available updates.

Winamp Danger

If you open a specially crafted playlist (from a link on a malicious Web site, for example) with version 5.12 of Winamp, you'll end up with a buffer overflow error that could let the bad guys take over your PC. To get the fix, you need to upgrade to version 5.13 or later at www.winamp.com/player.

Microsoft Small Biz Accounting Glitch

If Microsoft Office Small Business Accounting 2006 gives a nondescript error and crashes every time you start it, reinstall the program's Service Pack 1. Find out more from Microsoft at find.pcworld.com/51678.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?