Bugs and Fixes: Fix flaws in IE

Microsoft Word and Acrobat are also vulnerable to attacks from poisoned files.

The explosion of user-generated multimedia content has made the Web more fun, but unfortunately the bad guys get to play, too. These days some of the easiest venues for an attack are sites that let users post their own material.

For example, the Internet Storm Center, which tracks online assaults, recently reported that criminals used normal JavaScript features in Apple QuickTime movies to launch an attack against a MySpace vulnerability. When users viewed an infected movie on a MySpace page, the video (via the flaw) embedded itself on their own MySpace pages, and replaced their links with pointers to phishing sites. That flaw has since been fixed, but new program vulnerabilities keep the user-posted-content threat alive.

WMP problems

Microsoft recently patched two critical holes in the way WMP (Windows Media Player 6.4 through 10) handles streaming media files with .asf and .asx extensions. An active attack using either hole would set you up for a classic drive-by malware download if you viewed a tainted page in IE (and thereby automatically called up Media Player to play a video or audio file) or otherwise pulled poisoned content directly into WMP. And, according to Microsoft, you have a particular risk of encountering such content on sites "that accept or host user-provided content or advertisements". The flaw affects WMP in Windows 2000 Service Pack 4 through Windows XP SP2; get the fix via Automatic Updates, or at http://microsoft.com/technet/security/Bulletin/MS06-078.mspx Version 11 of WMP (Windows Media Player) is not at risk. At press time neither bug had been exploited - but the proof-of-concept code, often a precursor to an attack, had been posted for one of them.

HOLE-Y IE 6

Microsoft also patched two critical flaws in Internet Explorer 5.01 through 6.0 SP1 (in Windows 2000 SP4 through XP SP2) that could leave you open to an attack from a poisoned Web site (IE 7 is not vulnerable). Both holes take advantage of memory-corruption errors in the way IE handles scripts. No attacks are known to exist as of yet; but once again the company warns that sites hosting user-provided content are a likely avenue of attack.

Grab the fix through Automatic Updates, or as part of a large, cumulative IE patch at IE Patch

As for Word, Microsoft is warning about yet another pair of zero-day attacks that try to trick unsuspecting users into opening rigged Word documents. In Windows, the as-yet-unaddressed holes affect Word 2000, 2002 and 2003, plus Word Viewer 2003; for Macs, Word 2004 and Word X are also in danger. Works 2004, 2005 and 2006 are likewise affected.


In brief

Patch critical Acrobat Reader holes

Security company Sophos found critical cracks in the ActiveX control for versions 7.0 through 7.0.8 of Adobe Reader and Adobe Acrobat Standard and Professional. No attack exists yet, but if one arises you'd have only to visit a contaminated site in IE to be the victim of a drive-by download.

To close the hole, upgrade to version 8 of either product, or patch version 7. Adobe is working on an automatic update, but until that method is available, get the fix from Adobe Support

Bug slows IE 7

A Phishing Filter bug can reduce your computer to a crawl on Web sites with many frames. Get the fix at Support Microsoft

Vista battery drain

Notebooks with the new OS will have default settings that help connect to public hotspots but decrease battery life. To get more info - and change the settings - go to Windows Vista Blog

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?