Computing Center

  1. Home
  2. Electronics & Gadgets
  3. Computing Center

Holey Browsers: Make Yours Secure

Stuart J. Johnston

Remember the browser wars? In the Web's early days, Netscape and Microsoft fought tooth and nail to deliver the best browser. These days, though, the news is more often about whose browser is most buggy. Unfortunately, this contest appears to be a dead heat between Netscape and Internet Explorer.

A few months ago, Netscape released a new plug-in for its 4.7x browsers--SmartDownload 1.3, which is supposed to simplify the process of downloading and installing new files. Netscape's plug-in works with other companies' browsers, including IE--versions 4.0 through 5.5--and several Linux browsers.

However, a hole in SmartDownload 1.3 could let an attacker take over your PC. The hacker could do anything you can do on your computer, such as access your files. According to bug hunter Fred Swiderski, the problem revolves around an "unchecked buffer." If you have SmartDownload 1.3 installed, a malicious operator can access your machine by sending a buffer too many characters for it to handle.

Researchers at SecurityFocus.com, who also discovered the flaw, point out that if you click a link on a Web page that has an attack program lurking behind it, the hacker can take charge of your PC. So far, no real-world instances of this type of attack have been reported.

Netscape released SmartDownload 1.4 to fix the problem; you can also download version 1.4 from our Downloads library. (If your system has SmartDownload 1.2 or earlier, your PC isn't vulnerable.) Also check out Netscape's security bulletin. In the meantime, stay away from sites you're not sure you can trust. Better safe than sorry.

Latest Leak in Internet Explorer

Microsoft isn't off the hook this month. In the past, it has acknowledged and fixed bugs quickly. This time, though, the company is slow to provide a solution.

Veteran bug sleuth Georgi Guninski discovered a trick whereby a bad guy could disguise a dangerous executable file as something innocuous, like a common text file. If you click on such a file as an attachment in an e-mail message, IE steps in to open the file--and you may thereby be giving control of your computer to a wild program.

The deception takes advantage of an obscure feature of IE 5 called a Class ID that lets attackers create a fake extension, such as.txt,.bmp, or.gif, for a file intended to do your PC harm. The program that falsifies the extension is called an HTML application, or HTA.

At the time of this writing, Microsoft says it is still investigating the problem. For now, if you right-click the name of a file you receive in an e-mail message and choose Properties, a dialog box will display the file's true type. If the item looks like file.txt but Properties tells you it's really file.hta, delete the e-mail immediately.

McAfee QuickClean Disables System Restore

If your Windows Me computer uses McAfee QuickClean, versions 1.0 to 1.02, you could run into some trouble. QuickClean's Lite Registry Cleaner component is designed to eliminate redundant entries--and it does. But QuickClean goes a little overboard--it will zap a Registry key required to run Windows Me's System Restore. After that maneuver, all your current System Restore points will be removed and you won't be able to set up new ones.

McAfee released a patch to fix the problem. To get it, download it from our Downloads library. Or visit McAfeeHelp; type QuickClean in the Search tab, and in the list of results, select How to fix Windows Millennium missing System Restore. McAfee offers detailed instructions along with a link to the download. At press time, McAfee promised to add the fix to its Product Updates and Patches page.

In Brief : TiVo or Not TiVo

Some users of TiVo personal video recorders running version 2.0 software have reported problems. People who use them with the DirecTV service have encountered weird symptoms when their WishList contains the names of stars with single-word names, like Cher or Prince. The TV box reboots as often as every 20 minutes, making it nearly impossible to watch movies that have been recorded using the system's autorecording mode.

According to TiVo, the bug is confined to a small number of users, but the company says it has fixed the problem with the latest upgrade. TiVo is currently distributing version 2.0.1 to all customers. If you haven't received the automatic upgrade yet, visit, or call customer service at 877/367-8486.

Found a hardware or software bug? Tell us about it via e-mail at bugs@pcworld.com. Stuart J. Johnston is a PC World contributing editor.

Explore Computing Center

More from About.com

Browse All About.com

Computing Center

  1. Home
  2. Electronics & Gadgets
  3. Computing Center
  4. Software/Services
  5. Software
  6. Software Bugs
  7. Holey Browsers: Make Yours Secure

©2008 About.com, a part of The New York Times Company.

All rights reserved.