Bugs and Fixes: Fix flaws in IE

Microsoft Word and Acrobat are also vulnerable to attacks from poisoned files.

The explosion of user-generated multimedia content has made the Web more fun, but unfortunately the bad guys get to play, too. These days some of the easiest venues for an attack are sites that let users post their own material.

For example, the Internet Storm Center, which tracks online assaults, recently reported that criminals used normal JavaScript features in Apple QuickTime movies to launch an attack against a MySpace vulnerability. When users viewed an infected movie on a MySpace page, the video (via the flaw) embedded itself on their own MySpace pages, and replaced their links with pointers to phishing sites. That flaw has since been fixed, but new program vulnerabilities keep the user-posted-content threat alive.

WMP problems

Microsoft recently patched two critical holes in the way WMP (Windows Media Player 6.4 through 10) handles streaming media files with .asf and .asx extensions. An active attack using either hole would set you up for a classic drive-by malware download if you viewed a tainted page in IE (and thereby automatically called up Media Player to play a video or audio file) or otherwise pulled poisoned content directly into WMP. And, according to Microsoft, you have a particular risk of encountering such content on sites "that accept or host user-provided content or advertisements". The flaw affects WMP in Windows 2000 Service Pack 4 through Windows XP SP2; get the fix via Automatic Updates, or at http://microsoft.com/technet/security/Bulletin/MS06-078.mspx Version 11 of WMP (Windows Media Player) is not at risk. At press time neither bug had been exploited - but the proof-of-concept code, often a precursor to an attack, had been posted for one of them.

HOLE-Y IE 6

Microsoft also patched two critical flaws in Internet Explorer 5.01 through 6.0 SP1 (in Windows 2000 SP4 through XP SP2) that could leave you open to an attack from a poisoned Web site (IE 7 is not vulnerable). Both holes take advantage of memory-corruption errors in the way IE handles scripts. No attacks are known to exist as of yet; but once again the company warns that sites hosting user-provided content are a likely avenue of attack.

Grab the fix through Automatic Updates, or as part of a large, cumulative IE patch at IE Patch

As for Word, Microsoft is warning about yet another pair of zero-day attacks that try to trick unsuspecting users into opening rigged Word documents. In Windows, the as-yet-unaddressed holes affect Word 2000, 2002 and 2003, plus Word Viewer 2003; for Macs, Word 2004 and Word X are also in danger. Works 2004, 2005 and 2006 are likewise affected.


In brief

Patch critical Acrobat Reader holes

Security company Sophos found critical cracks in the ActiveX control for versions 7.0 through 7.0.8 of Adobe Reader and Adobe Acrobat Standard and Professional. No attack exists yet, but if one arises you'd have only to visit a contaminated site in IE to be the victim of a drive-by download.

To close the hole, upgrade to version 8 of either product, or patch version 7. Adobe is working on an automatic update, but until that method is available, get the fix from Adobe Support

Bug slows IE 7

A Phishing Filter bug can reduce your computer to a crawl on Web sites with many frames. Get the fix at Support Microsoft

Vista battery drain

Notebooks with the new OS will have default settings that help connect to public hotspots but decrease battery life. To get more info - and change the settings - go to Windows Vista Blog

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?