Patch Serious Leaks in Windows

Block tarnished pop-ups in Windows Media Player and fix glitches in Outlook.

Stuart J. Johnston is a contributing editor for PC World.

As reported back in the February issue, the PC World staff discovered a security glitch in Windows Media Player 9 and 10 that could cause you to unwittingly download adware, spyware, and other malware instead of opening copy-protected files.

If WMP doesn't locate a license to play copy-protected files on your PC, the program will go online to obtain usage licenses from a valid Windows Media Digital Rights Management server. That process has let some adware purveyors push spyware and adware onto users' PCs, especially those on peer-to-peer file-sharing networks like Kazaa. Crackers could employ the same mechanism to install viruses or other attack programs.

You can see a few workarounds here. At press time, Microsoft said that it is updating WMP to stop adware and hack attacks. An updated version of the app is available from Microsoft's site now.

You might run afoul of WMP's Digital Rights Management in a different way--by changing your PC's hardware configuration. If you then attempt to play a copy-protected file, Windows' DRM system may sense, by mistake, that you're trying to pirate copies of licensed content onto another PC and refuse to play the files. The easiest fix is to change everything back. The other workaround is complex and involves deleting the licenses you paid for. So back up your licenses before you reconfigure hardware or change settings. Details on Microsoft's workarounds are available here.

Plug More Holes

Microsoft fixed a hole in Windows Help that could let a bad guy control your machine if you click a malicious link on a Web page or in an HTML-based e-mail. You don't have to use the Windows Help system to be attacked, either.

The vulnerability affects Windows 98 through XP Service Pack 2. However, Outlook Express 6 and Outlook 2002 and 2003 users are protected. To be safe, download the fix.

Microsoft patched another vulnerability that's almost as dangerous as the Help issue, except that XP SP2 will protect you. The hole is in the part of Windows 98 through XP SP1 that displays cursors, bitmap images, and icons. For example, an attack program could appear as an animated cursor. The instant you click, a cracker could take over your PC. You're protected from e-mail attacks if you have the versions of OE and Outlook listed above. But you're still vulnerable to a Web-based attack, so download the patch.

In Brief: Flaws in Eudora

Qualcomm patched several security holes in Eudora and has released a new version. Security firm Secunia rates these holes as highly critical. All versions of Eudora (6.2.0 and earlier) are vulnerable. Download version 6.2.1.

Big Batch of Patches from Microsoft

As we went to press, Microsoft released its monthly collection of security updates. This monster set of 12 patches fixes 16 weaknesses in Windows, Internet Explorer, Microsoft Office, and other programs. Get links to the patches and security bulletins for the slew of Windows and IE updates, and get the Office updates. And you can also read PC World's news story.

Bugged?

Found A hardware or software bug? Tell us about it via e-mail at bugs@pcworld.com.