Serious Security Holes in Internet Explorer
Microsoft says it has fixed six problems--but one wasn't repaired completely.Stuart J. Johnston
Thank you, Microsoft. Some months I worry that I won't have much to write about. But the bug factory in Redmond almost assures me of permanent employment.
This month, Microsoft released its most recent cumulative patch for Internet Explorer versions 6.0, 5.5, and 5.01. The patch fixes six newly discovered holes, and it includes all previous security patches. But the patch had been out for less than a day before bug trackers discovered a problem.
Danish bug catcher Thor Larholm and Israeli researchers at GreyMagic Software say the fix for one of the worst bugs works only with IE 6--not with versions 5.5 or 5.01. The bad bug is called a cross-site scripting vulnerability. A hacker could craft a Web page or send an HTML e-mail message that ran as if it were in IE's Local Computer zone. Typically, this zone has lower security settings than IE's Internet zone.
If the Web link or e-mail contained nefarious code, and if you had IE's security set to the lowest setting, the devious code could take over your PC.
Microsoft claims the patch blocks all attacks, but the bug experts say that it stops such attacks only on IE 6. "We have an investigation under way and will respond appropriately," says Christopher Budd, a program manager with Microsoft's Security Response Center. That answer is Microsoft-ese for "We will issue more patches if necessary." No word yet on when or whether Microsoft will do so.
Aside from the fix for cross-scripting, the cumulative patch contains two others that Microsoft calls "critical." One flaw would allow someone to read (but not change or delete) the files on your PC. Another hole would let a malefactor send you a special cookie, either through a Web page that you click or via an HTML e-mail that you open; this evil cookie could read the contents of other cookies.
Your system is protected from e-mail attack through all three holes if you've installed the Outlook E-Mail Security Update or if you're running Outlook 2002 with the "Read as plain text" option enabled.
Jump to Microsoft's Security Bulletin for a link to the cumulative patch. While you're on this Web page, click the Technical Details link for the Outlook update download and for more details about the update.
Microsoft promises that all of these fixes will be included in the upcoming Service Pack 1 for IE 6.0, but the company hasn't said when the service pack will be available.
Faulty Power Adapters With HP Speakers
It's another recall notice from HP. In June, I wrote about faulty power cords with Deskjet and Photosmart printers. This time, the recall involves Philips Electronics' adapters for the P1534A External Amplified Speaker sets. Between October 2000 and April 2002, HP sold about 90,000 defective adapters, either as part of speaker systems shipped with HP Vectra PCs or as separate units. No one has been injured, says the Consumer Product Safety Commission, but the adapters pose a shock hazard. Go to HP's site to find out how to identify the faulty adapter and get a free replacement.
In Brief
E-Mail Editor Flaw
If you use Microsoft Outlook 2000 or 2002 and have set up Microsoft Word to be your default e-mail editor, you're open to attack while editing in either Rich Text Format or HTML format. If you reply to or forward an e-mail sent by an attacker, the code could commandeer your PC. Go to Microsoft's Security Bulletin for the patch.
Messenger Hole
Fans of MSN Messenger or Exchange Instant Messenger 4.5 and 4.6 need to know about a flaw involving the MSN Chat control. The problem also affects anyone who installed the control before May 8 of this year. The hole could allow a cracker to take over your system completely. Visit Microsoft's Security Bulletin to get the fix.
Bugged?
Found a hardware or software bug? Tell us about it via e-mail at bugs@pcworld.com.
Stuart J. Johnston is a contributing editor for PC World.