Security Holes Plague Windows Help
Patches for XP and 2000 are available now--but 98 and Me users must wait.Stuart J. Johnston is a contributing editor for PC World. Click on the link for more Bugs and Fixes columns.
Illustration by Viktor Koen
Two newly discovered security holes affect the HTML Help system and the Task Scheduler in Windows XP and 2000. The Help security bug also affects earlier versions of Windows, including 98, 98 SE, and Me.
Unfortunately, Microsoft has not yet finished developing patches for the older Windows versions and can't say when they'll be ready. When they are, the company says, users will be able to get the patches through Windows Update. One minor blessing: The older versions of the Windows operating system aren't susceptible to the Task Scheduler bug. (Task Scheduler allows users to set the times when specific jobs, such as system maintenance programs, will run.)
Before a malevolent cracker could exploit either security flaw, you would have to visit a Web site that hosted a malicious link, or click a link in an HTML e-mail that took you to the attacker's site. Like many security flaws in Microsoft products, these holes could be exploited by sending the system faulty or excessive information, causing the machine to malfunction. Then the attacker would transmit a program of his or her own to take control of your PC.
Microsoft designated the holes as "critical" because a cracker's successful assault could result in the complete takeover of your machine: The evildoer would then have free rein to steal your personal files or even to wipe out the contents of your hard disk.
Microsoft has now released patches for both flaws in Windows XP and 2000. If you use XP, I recommend getting Service Pack 2. Though the company hasn't yet posted patches for Windows 98 and Me systems, it has provided workarounds for both bugs.
So far, there have been no reports of attacks, but don't take any chances. Click here for the patches and for more technical details on the HTML Help flaw (numbered 840315), and click here to get the Task Scheduler fix (numbered 841873). Both fixes are included in SP2.
Internet Explorer Fix Blocks New Virus
Microsoft's cumulative patch for IE plugs three newly discovered security holes that it rates as "critical," including one that could result in something similar to a serious--but not widespread--virus attack launched this past July that is known as the "download.ject" or "Scob" virus (click here for more); the attack involves logging a user's keystrokes.
The patch aims to head off recurrences of that incident, which exploited weaknesses in Windows and in Microsoft's Web server software. The update also contains previously released patches for IE, fixing flaws in Windows XP and 2000--but not 98 and Me yet. Get the patch (numbered 867801).
In Brief
Dell Adapter Recall
Dell is recalling 28,000 power adapters for some Latitude and Inspiron notebooks. It is possible to plug the wrong power cord into the adapters, posing a shock hazard. Click here for information about a free retrofit kit.
Mozilla Patch
A new patch fixes a flaw discovered in the protocol handling functions of Firefox, Thunderbird, and the Mozilla Application Suite. The bug affects only Mozilla browsers on Windows PCs--not those on Linux PCs or Macs. The fixed versions are Mozilla 1.7.1, Firefox 0.9.2, and Thunderbird 0.7.2. Click here for details.
D-Link Firmware Upgrade
D-Link has released new firmware for its AirPlus DI-614+ wireless routers. The update, version 3.43 fixes a hole that could allow Denial of Service attacks.
Bugged?
Found a hardware or software bug? Tell us about it via e-mail at bugs@pcworld.com.