Software Report [Bugs and Fixes: Windows, IE at Risk - 08/10/2005]

August 10th, 2005

Bugs and Fixes: Windows, IE at Risk

Contrib. Ed. Stuart J. Johnston

Last night I watched an old Stephen King sci-fi thriller called
"Maximum Overdrive." It was very campy and very bad. The premise: A
cometary radiation storm causes all machines--from Mack trucks to the
milk-shake maker at the local diner--to come alive and rebel against
humans.

In the digital universe, PCs are vulnerable to their own kind of
external threat: worms designed by hackers to deliberately turn your
system against you. Your protection: Patch, patch, and patch your PC.

Microsoft has released critical patches for newly discovered
vulnerabilities in Internet Explorer and Windows. One hole involves
the way that IE displays Portable Network Graphics files and affects
IE 5.01 through 6 Service Pack 1 running on Windows 98 through XP
Service Pack 2. (Although PNG is not a widely used graphics file
format on the Web, it could be used to launch an attack program.)
Things might appear fine in IE--no pop-up errors and no problems
viewing sites--until your PC starts deleting files and doing other
things, seemingly on its own.

To trigger an attack, you would have to click a link that leads to a
cracker's Web site or open an HTML e-mail message that contains a
flawed PNG file; these actions allow the attacker's site to send IE
too much data at once, creating a buffer overflow error. That leaves a
hole in your system through which a damaging program could enter. So
avoid the risk by getting the patch:
http://www.microsoft.com/technet/security/Bulletin/MS05-025.mspx

Windows Help Files Gone Awry

Microsoft has fixed a glitch in how Windows processes files in the
HTML Help system. You don't have to launch a Help file to set off an
attack; the malicious code will do it for you. The trigger could be
disguised as a bogus banner ad, for example, or a booby-trapped
button. The point is to get you to click a link that uses the Help
exploit to break into Windows.

A successful assault would let an attack program wreak havoc on a PC.
Systems running Windows 98 through XP SP2 are vulnerable. Fortunately,
this and the PNG hole apparently have not yet spawned an attack on
anyone's machine. Here's the patch:
http://www.microsoft.com/technet/security/bulletin/MS05-026.mspx

To keep up-to-date on the latest news, visit PC World's Info Center
for Windows:
http://www.pcworld.com/resource/infocenter/0,ctrid,6,ic,Windows,tk,srx,00.asp

Security Advisories Begin to Pay Off

Microsoft's pilot early-warning service, called Security Advisories,
has released an important alert and an update. First, Microsoft warned
about, and 12 days later patched, a hole in IE that could cause the
browser to crash, letting culprits break in. (There have already been
attacks, according to the company.) So protect your computer and
download the patch:
http://www.microsoft.com/technet/security/Bulletin/MS05-037.mspx

In the advisory, Microsoft also issued Update Rollup 1 for Windows
2000 Service Pack 4, containing patches released between June 2003 and
April 2005. You can get that update here:
http://support.microsoft.com/kb/891861

You can sign up for Microsoft's service here:
http://www.microsoft.com/technet/security/bulletin/notify.mspx

Read "Microsoft Revamps Security Hole Approach" for more about the
service:
http://www.pcworld.com/news/article/0,aid,120752,tk,srx,00.asp

* In Brief *

Hole in Adobe Apps: If you use Adobe Creative Suite 1, Photoshop CS,
or Premiere Pro 1.5, and you unintentionally disable your firewall
(for example, by accidentally unchecking a box in your network
configuration settings), you could be hit by a cyberassault. The
problem lies in the app's license management technology. The programs
will continue to work; but without the updated license mechanism, your
PC is at risk. Bad guys prowling for an unpatched system could slide
into yours through this hole. Locate the update here:
http://www.adobe.com/support/techdocs/331688.html

Opera Fixes Flaw: A hole in Opera 7.x and 8 could let a cracker launch
a pop-up that looks as if it is from a site you're visiting, when in
fact it's from the hijacker's site. If you enter the data it asks for
(such as a credit card number), you could fall victim to a phishing
scam. Get version 8.02 here:
http://www.opera.com/download/

Bugged?

Found a hardware or software bug? Write to Stuart Johnston:
bugs*pcworld.com

Read Stuart J. Johnston's regularly published "Bugs and Fixes"
columns:
http://www.pcworld.com/resource/columnist/0,colid,2,tk,sr,00.asp


===
"In a world where more than 10 million americans live with cancer -- we believe unity is strength, knowledge is power, and attitude is everything!"
-- Livestrong, by Lance Armstrong
.

Loading