Bugs and Fixes: Fix flaws in IE

Microsoft Word and Acrobat are also vulnerable to attacks from poisoned files.

The explosion of user-generated multimedia content has made the Web more fun, but unfortunately the bad guys get to play, too. These days some of the easiest venues for an attack are sites that let users post their own material.

For example, the Internet Storm Center, which tracks online assaults, recently reported that criminals used normal JavaScript features in Apple QuickTime movies to launch an attack against a MySpace vulnerability. When users viewed an infected movie on a MySpace page, the video (via the flaw) embedded itself on their own MySpace pages, and replaced their links with pointers to phishing sites. That flaw has since been fixed, but new program vulnerabilities keep the user-posted-content threat alive.

WMP problems

Microsoft recently patched two critical holes in the way WMP (Windows Media Player 6.4 through 10) handles streaming media files with .asf and .asx extensions. An active attack using either hole would set you up for a classic drive-by malware download if you viewed a tainted page in IE (and thereby automatically called up Media Player to play a video or audio file) or otherwise pulled poisoned content directly into WMP. And, according to Microsoft, you have a particular risk of encountering such content on sites "that accept or host user-provided content or advertisements". The flaw affects WMP in Windows 2000 Service Pack 4 through Windows XP SP2; get the fix via Automatic Updates, or at http://microsoft.com/technet/security/Bulletin/MS06-078.mspx Version 11 of WMP (Windows Media Player) is not at risk. At press time neither bug had been exploited - but the proof-of-concept code, often a precursor to an attack, had been posted for one of them.

HOLE-Y IE 6

Microsoft also patched two critical flaws in Internet Explorer 5.01 through 6.0 SP1 (in Windows 2000 SP4 through XP SP2) that could leave you open to an attack from a poisoned Web site (IE 7 is not vulnerable). Both holes take advantage of memory-corruption errors in the way IE handles scripts. No attacks are known to exist as of yet; but once again the company warns that sites hosting user-provided content are a likely avenue of attack.

Grab the fix through Automatic Updates, or as part of a large, cumulative IE patch at IE Patch

As for Word, Microsoft is warning about yet another pair of zero-day attacks that try to trick unsuspecting users into opening rigged Word documents. In Windows, the as-yet-unaddressed holes affect Word 2000, 2002 and 2003, plus Word Viewer 2003; for Macs, Word 2004 and Word X are also in danger. Works 2004, 2005 and 2006 are likewise affected.


In brief

Patch critical Acrobat Reader holes

Security company Sophos found critical cracks in the ActiveX control for versions 7.0 through 7.0.8 of Adobe Reader and Adobe Acrobat Standard and Professional. No attack exists yet, but if one arises you'd have only to visit a contaminated site in IE to be the victim of a drive-by download.

To close the hole, upgrade to version 8 of either product, or patch version 7. Adobe is working on an automatic update, but until that method is available, get the fix from Adobe Support

Bug slows IE 7

A Phishing Filter bug can reduce your computer to a crawl on Web sites with many frames. Get the fix at Support Microsoft

Vista battery drain

Notebooks with the new OS will have default settings that help connect to public hotspots but decrease battery life. To get more info - and change the settings - go to Windows Vista Blog

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?