Don't Share Cookies With Strangers

Grab fixes for the latest flaws in Internet Explorer and Windows Media Player.

Stuart J. Johnston

Want to keep thieves out of your PC's cookie jar? If you use Internet Explorer 5.5 or 6.0, you'll want to close the latest security hole--one that lets outsiders swipe cookies from your browser. Cookies are the little chunks of data that Web sites stick on your hard drive so they can recognize you the next time you visit their sites. IE's flaw: A nefarious attacker could steal your computer's cookies.

Most cookies do not carry important information, but some slow-witted shopping sites may record sensitive data (such as credit card numbers) in their cookies. By tricking you into clicking a specially crafted link on the attacker's Web site or in an HTML e-mail message, a hacker could gain access to all your cookies.

Microsoft has posted both a workaround and a patch for the problem. I recommend that you download the patch. Though the workaround will protect your PC from cookie grabbers, it does so by disabling Active Scripting--a type of code that Web sites depend on to carry out various functions. (Note: Any URL ending in the extension.asp uses Active Scripting; the abbreviation stands for "active server pages.") If you use Microsoft's patch instead of its workaround, Active Scripting will continue to operate.

Media Player Fix

If you are a major fan of streaming media and you use Windows Media Player, you need to know about four security problems. You can take care of all four holes in one download with Microsoft's latest patch. Three of the problems relate to Windows Media Player versions 6.4, 7.0, and 7.1, as well as to Windows Media Player for XP; one of the flaws affects version 6.4 only.

The vulnerabilities could let an interloper take charge of your computer. The attacker would send you an Advanced Streaming Format (ASF) file containing hidden code. If you subsequently played the file--or clicked a link on a Web site that played it--slick intruder could crash your computer.

But it could be much worse: An attacker who figured out what operating system was running on your PC could do anything you could do on your computer--even reformat your hard drive, for instance.

Microsoft says that the patch removes the vulnerabilities by setting up a process to validate.asf files that come its way. Get Microsoft's bulletin and a link to the download for your version of the player. If you use the XP version, you'll also find the fix included in Microsoft's Critical Updates (via Windows Update).

Bugged?

Found a hardware or software bug? Tell us about it via e-mail at bugs@pcworld.com.

Stuart J. Johnston is a contributing editor for PC World.

In Brief

911 Virus Alert

Has your PC dialed 911 on its own lately? If so, you've been snared by an annoying worm. Known as W32.Funsoul@mm, the worm orders your modem to dial 911 automatically when your system starts up. Visit Symantec to get its Funsoul removal tool.

Nimda's Revenge

The Nimda virus is back--with a twist. The updated virus, named W32.Nimda.E@mm, avoids detection by antivirus programs that were designed to catch its previous incarnations. Norton AntiVirus definition files dated October 29, 2001, or later will protect you. Get Symantec's disinfection info.

Roxio Remedy

Would-be Users of Roxio's Easy CD Creator 5.0x Platinum who either upgraded to Windows XP or had the OS preinstalled ran into one big snag: They couldn't burn CDs. Roxio has released separate patches to fix the problem, depending on the OS you had before upgrading to XP.