Bugs and Fixes: Security Holes Put Online IDs at Risk

Stuart Johnston

If you're not the type of person to pounce on every single Internet Explorer update, here's something that might change your mind: A security hole in older versions of IE could expose your identity if you use Web-based services like Hotmail. The problem is actually a new way to exploit an old security hole in IE versions 4.x through 5.01. The danger? A mischievous surfer with nothing better to do could steal the cookie that identifies you, at sites such as Hotmail, and masquerade as you. That means someone could send and receive e-mail through your account.

The vulnerability only affects sites, including Hotmail and Yahoo Mail, that use cookies as a way to immediately identify users, saving them the hassle of entering a user name and password each time they log on. Fortunately, most sites--in particular most e-commerce sites--don't use cookies to authenticate users like Hotmail and Yahoo Mail do. So you don't have to worry about this vulnerability at any site that requires you to type in a user name and password to enter secure portions of the site.

Microsoft says it has fixed its browser to stop an intruder from stealing cookies. So if you didn't upgrade Internet Explorer last time, do it now. To get the fix, download IE 5.5 from Microsoft. Alternatively, you can install IE 5.1 Service pack 1.

Latest PCs Too Fast for Comfort

If you thirst for speed, remember what you learned in driver's ed: Speed kills. And in the case of the hottest new computers on the market, speed could kill your data. Microsoft recently reported that superfast machines--933 MHz or higher--running Windows ME and Windows 98 can lose data when shutting down. The company says it's not to blame, though to date, similar problems have not been discovered on non-Windows systems. The problem, according to Microsoft, lies in the computers' hardware. Machines running at these racehorse speeds may be too fast for some hard disk drives.

When you save a file, for example, the data goes first to the disk cache, which serves as a holding area. Slower systems give the cache enough time to get the information onto the disk even if you save a file and shut down immediately. But the ultrafast processors shut the machines down so quickly that sometimes all the data doesn't make it. In addition, Windows carries out some other functions at the system level that you don't have any control over, like updating directory entries. These kinds of tasks would also be affected by the problem.

Microsoft says it has sent software patches to computer manufacturers to help fix the problem for now. Contact your PC maker to see if a patch is available. In the meantime, make sure you save what you're doing, then wait a little bit before shutting down your fast machine. For more information about the scope of the problem, see "Data Loss Threatens Fast Windows Systems."

In Brief

More Viruses Threaten Palm Devices

Last month we reported on the Liberty Crack Trojan horse, which attacks Palm OS handhelds. McAfee.com has discovered two additional assailants. One, a virus known as Phage, causes screen blackouts and infects other programs; it can also spread through e-mail or an infected Web site. The other, called Vapor, is a Trojan horse that hides all the icons for your third-party apps as if they'd been deleted. McAfee.com has posted disinfection instructions in its Virus Information Library. Once you're there, click Newly Discovered Viruses and scroll down to the links (also provided here) for Phage and Vapor.

MSN Explorer Banishes Outlook Express

If you downloaded Preview 2 of Microsoft's new Internet software, MSN Explorer, you may have run into an unpleasant glitch: MSN Explorer kicks out Outlook Express and installs Hotmail as the default e-mail program. Currently, as soon as you accept the end-user license agreement, your e-mail program is converted to Hotmail. Microsoft has promised to fix this problem so that you can tell MSN which e-mail program you want (Outlook Express is the only program bumped by the glitch). The fix should be available by the time you read this. For details, go to MSN.

Stuart J. Johnston is a journalist and tech columnist based in Bellevue, Washington.