Gaping Holes in Internet Explorer
Keep up with the latest security cracks in Microsoft's browser--if you can.Plugging holes in Internet Explorer is a perpetual whack-a-mole exercise--as soon as Microsoft patches one hole, the bad guys (or avid security researchers) expose new ones. Late in November, a massive security flaw in Internet Explorer prompted Microsoft to pump out a fix. On the heels of that patch, the company had to take care of six other, separate holes--and then a seventh one, two weeks later.
At about the same time, RealNetworks came under fire and patched three security problems in its RealOne Player that may affect its older RealPlayer program as well.
But first, IE's biggie: If you use IE 5.01, 5.5, or 6, make sure you fix the major hole involving IE's "Data Access Components," which let your browser talk to databases over the Internet, and which retrieve and return data to IE. If you click a malicious link, the vulnerability could allow an attacker to send too much data to your browser, causing one or more of the Data Access Components to fail. After that, theoretically, the offender could execute any code on your PC. If your system runs Windows XP, you're already protected. If it doesn't, get the details, as well as the link to the fix, from Microsoft.
Despite releasing Service Pack 1 for IE 6 last October and following up with a slew of other stand-alone fixes, Microsoft has rolled out two more cumulative patches. The first cumulative patch deals with six holes, but you're better off installing the second cumulative patch, as it handles those six vulnerabilities and a seventh one. The worst flaw could enable an Internet peeper to have a gander at data that you've stored on your PC.
Not every version of Windows is in danger of being hacked, but IE versions 5.01 through 6 are affected by six holes, while the seventh flaw affects IE 5.5 and 6. The situation gets complicated. Visit our Downloads page to discover whether your versions of Windows and IE are vulnerable, and to grab a link to the newer cumulative patch.
Get Real?
The three RealNetworks security defects endanger RealOne Player version 1. At press time, the company was not able to confirm whether earlier versions of the program (RealPlayer) are also susceptible. The potential attack would allow an invader to run arbitrary programs on a user's machine. A company spokesperson recommended that anyone using RealPlayer 8 or earlier versions upgrade their program to RealOne Player version 2. Jump to the RealNetworks support site for more details and for the update to fix your player. Alternatively, within the player, select Tools, Check for Update.
Microsoft Patches a Patch
Last summer, Microsoft fixed a glitch in Windows 98, 2000, Me, and XP that involved Microsoft-issued digital certificates, which help verify the authenticity of users, e-mail messages, and Web sites. Recently, however, the UK National Infrastructure Security Co-ordination Centre notified Microsoft that the earlier patch didn't completely seal up the hole; in fact, a smart attacker could still drive a truck through it. A bad guy could create a fake, secondary certificate that could let a Web site masquerade as an online store where you shop frequently. See Microsoft's Security Bulletin for the company's detailed explanation and for its updated version of the patch.
In Brief
Office SP Improves
Microsoft posted an update to Service Pack 3 for Office 2000. The original SP3 introduced problems for Outlook users trying to view attachments.
Outlook Update
Last month, I reported on a clash between Outlook 2002 and Office XP SP2. Microsoft subsequently added the fix to its downloads library.
Bugged?
Found a hardware or software bug? Tell us about it via e-mail at bugs@pcworld.com.
Stuart J. Johnston is a contributing editor for PC World. Click here to see past Bugs and Fixes columns.