Can You Really Trust That Download?
Stuart J. Johnston
Microsoft recently announced that someone tricked VeriSign, the company that issues digital certificates, into granting two certificates to a person claiming to be a Microsoft employee. That's a bit like allowing someone to steal a police officer's badge--it puts the thief in a position of trust that he or she can abuse.
When you download a program off the Web, its digital certificate guarantees that it comes from the company it says it comes from. Using the stolen certificates, though, a cracker could send you a Trojan horse, a virus, or another nasty piece of code that presents itself as an officially approved Microsoft program.
Microsoft has released a security update to address the problem, and offers a link to the 128KB fix (along with a FAQ section discussing the security breach and related issues).
For Norton AntiVirus users, Symantec says that any virus definitions dated March 23, 2001, or later will detect the two stolen certificates. Similarly, McAfee users are protected with virus definition files dated March 24, 2001, or later.
Hole in Outlook, Outlook Express
Outlook 98, Outlook 2000, and Outlook Express 5.x have a security hole in their VCard capabilities. A VCard stores your business card information in an electronic format. In addition, it permits you to send your contact information to other users as an attachment that they can load into their Outlook and Outlook Express contacts databases--no typing required.
Though it's handy, the VCard technology has a bug that enables a malicious hacker to create a VCard that could crash the user's e-mail program or, worst case, let the attacker take over the user's computer. In this last instance, the bad guy could do anything the user had privileges to do, including reformat the hard drive.
The specific element responsible for this flaw ships as part of Outlook Express and is shared by Outlook. Since IE installs Outlook Express by default, identifying the correct patch for your PC depends on the version of IE you use, not on the version of Outlook you have, according to Microsoft. (To find out which version of IE runs on your system, from within IE select Help, About Internet Explorer.) The attack takes advantage of a buffer overflow error to flood the program with data. Envision a stoppered sink with the water left on. By sending the VCard feature too much info, the hacker can overwhelm Outlook or Outlook Express.
The patch turns off the flow by truncating the length of the character stream that the rigged VCard is trying to pour into the program.
Keep Folders Safe From Prying Eyes
Windows Millennium Edition enables you to compress directory folders and protect them with passwords. However, Microsoft recently reported that those passwords are actually written in plain text to a file on your computer. Anyone with physical access to your PC who wanted to poke through your most confidential files--and who knew where to look--would be able to access those passwords. This vulnerability does not affect any other password-protected areas (like Windows log-on). Versions of Windows 98 and 98 Second Edition with the Plus 98 add-on are also vulnerable.
Microsoft fixes the problem by preventing future passwords from being stored on the system. Two patches are available--one for Windows 98, and the other for Windows Me.
In Brief: IPaq Flash Crash
Feeling disconnected from your IPaq? You're not alone. Many owners of Compaq IPaq H3600-series Pocket PCs have been complaining for months that their handheld devices do not recognize some CompactFlash 56-kbps modem cards, including cards from New Media Tech and Kingston.
Compaq recently released a software patch for the glitch. The patch also fixes abnormal behavior of the IPaq's e-book reader. For example, the reader's page-scroll feature wasn't functioning properly.
The 1MB patch is identified as version 1.00A or later. At press time, Compaq said it was working on a ROM upgrade that will include this particular patch.
Found a hardware or software bug? Tell us about it via e-mail at bugs@pcworld.com. Stuart J. Johnston is a contributing editor for PC World.