Stop Service Pack 2 From Leaking Data

Plus: Patch a security hole in JPEG images; Mozilla fixes flaws in its browser.

Stuart J. Johnston is a contributing editor for PC World. Click on the link for more Bugs and Fixes columns.

Microsoft has been making a big fuss over security lately, especially now that Service Pack 2 for Windows XP is out. But while SP2 locks the doors on many types of attacks, it can also open a window for prying eyes to peer through.

PC Welt, PC World's sibling publication in Germany, discovered a flaw in SP2 that can expose all of your shared files and folders to people on the Web. For data to be exposed, says Andreas Kroschel, one of the PC Welt editors who discovered the glitch, SP2 must be installed on your system; Internet connection sharing (ICS) must be disabled; file sharing must be defined on your PC; sharing exceptions must be specified in Windows Firewall; and the affected system must have a dial-up, DSL, or ISDN connection. (Due to the lack of cable modem service in Germany, PC Welt was unable to test the flaw under that connection.)

At press time, Microsoft had yet to acknowledge the flaw, though it is looking at PC Welt's claims. In the meantime, the magazine provides a workaround: For details, read Security Tips columnist Andrew Brandt's blog.

Poisoned Pictures

Microsoft released a patch for a flaw that could let a cracker take over your PC by sending you an attack program hidden inside a JPEG (.jpg) file. Except on systems with Windows XP SP2 installed, the hole affects all programs-including IE, Outlook, and Paint-that can open.jpg files. Although the flawed software component was not included with earlier Windows operating systems (including 98, 98SE, and Me), it often installs automatically on those OSs when you install programs that read JPEGs.

If you open up an infected JPEG on a Web page or as an attachment, the attacker's hidden code could cause a buffer overflow error, crashing the software or forcing Windows to run a rogue program from whoever created the infected file. For Microsoft's patch, click here. To figure out which Microsoft products need to be patched, click here. For software made by others, contact those companies.

Mozilla Patches Holes in Firefox

As interest in alternatives to Internet Explorer blossoms, so does scrutiny of their security flaws. Mozilla released a new version of its open-source Firefox browser that fixes nine holes.

The vulnerabilities could let an attacker hide sneaky code inside a VCard (a virtual business card exchanged via e-mail); enable miscreants to send you their attack program hidden in a.bmp image; or let a bad guy block sites protected by the Secure Sockets Layer protocol, preventing you from accessing them.

Download the latest version of Mozilla, 1.7.3, and Firefox, 0.9.3.

In Brief

Inkjet Refill Recall

NCR is recalling about 78,000 inkjet refill kits (models 943264, 999289, and 999292) that were sold at Big Lots and Walgreens stores between April and June 2004. The refills lack child-resistant packaging and required warning labels. For an exchange or a refund, return them to the original store. For further info, hop over to NCR.com or call NCR at 800/279-0203.

Talking Worm

The Amus-A worm comes with a surprise: On Windows XP systems, it talks. The worm uses XP's speech engine to play a puerile message: "How are you. I am back. My name is Mister Hamsi. I am seeing you." The worm tries to delete Windows files and attempts to spread using your e-mail address book. Get info and virus updates from McAfee or from Symantec.

Bugged?

Found a hardware or software bug? Tell us about it via e-mail at bugs@pcworld.com.