Browser Patch Keeps Intruders Out
Plus: The new Windows 2000 service pack can clash with Symantec software.
Ever heard of the movie Piranha? Not too long ago, I stumbled on this bad 1978 sci-fi flick, which tells the story of a secret laboratory out in the boonies that raises genetically mutated piranhas. The fish accidentally escape from the tank into a local swimming hole. Predictably, mayhem ensues.
Images from the movie came floating into my head as I researched the latest batch of Internet Explorer flaws for this month's column. While you probably don't have to worry about being eaten the next time you go for a quick dip in a mountain stream, holes in IE could let a bad guy unleash the Web equivalent of piranhas--code that could leave data on your machine all chomped up.
Of course, I'm exaggerating a bit. Like most browser flaws, the latest threats are theoretical. To plug the holes, Microsoft has released a cumulative patch for IE versions 5.01 through 6.0. It fixes all previous security problems and two newly discovered ones.
The worst part about the new holes is that you can be attacked merely by visiting a miscreant's Web site, or by clicking a link in an infected HTML e-mail message. Once set loose, the attacker's code could eat away at everything on your hard drive.
One flaw is a buffer overflow or overrun hole, and the other is a flooding vulnerability. They are two of today's most common types of security weaknesses.
A buffer is where a program stores information until it's needed. If you stream video over the Web, for instance, your video app uses a special place in your PC's memory to store data until enough has been downloaded to begin playing the video. To cause an overflow error, a bad guy sends a particular buffer more data than it can hold. When it overflows, the attacker's code escapes into the rest of your PC's memory and begins executing--now the scoundrel can do anything on your PC that you can do. That's bad news.
The flooding vulnerability is similar. In this scenario, an attack program could send IE too many file download requests at once. You might experience an overpowering number of pop-up ads, say. Then, as in a buffer attack, the hacker's code executes without any system code to stop it.
Head to Microsoft Security Bulletin MS03-020 Cumulative Patch for Internet Explorer (818529) to download Microsoft's patch.
Stuart J. Johnston is a contributing editor for PC World. Click on the link for more Bugs and Fixes columns.
New Service Pack for Windows 2000
Service Pack 4 for Windows 2000 provides nearly 700 bug fixes and security patches. One fix, for example, eliminates a problem involving some USB keyboards with PS/2 mouse ports that caused Windows 2000 PCs to take up to an hour to start. Go to Windows 2000 Service Pack 4 to download it.
Be warned: The service pack may clash with Symantec's Norton Internet Security 2001 or Norton Personal Firewall 2001. You may not be able to access the Internet. However, if you've run Symantec's LiveUpdate since June 27, you shouldn't experience the problem. Go to Windows 2000 SP4 and Norton Internet Security 2001 for Symantec's advisory.
In Brief
Printing Problems
If your PC runs Windows XP or 2000 and you try printing using a printer connected to a parallel (LPT) port, you may find that other apps hang. Microsoft doesn't think that this is a problem, nor has it plans to fix the issue. Instead, as explained at "100 Percent CPU Usage Occurs When You Print on an LPT Printer Port", the company suggests that you use a USB port or a USB-to-parallel adapter.
Got XP Blues?
In the last month, at least 100 readers have written to me about PC performance problems brought on by Windows XP's service pack 1 (see "A Big Microsoft Mess--Patches Gone Bad" for details about the maddening situation so far). Contact Microsoft via mswish@microsoft.com or use its template at Microsoft's Product Feedback to submit your SP1 complaints. We can't guarantee that anyone in Redmond will listen, so please continue to write to bugs@pcworld.com.
Bugged?
Found a hardware or software bug? Tell us about it via e-mail at bugs@pcworld.com.