Holes Abound in Microsoft Software

Stuart J. Johnston is a contributing editor for PC World. Click here to see more Bugs and Fixes columns.

Illustration by Scott Menchin

Picture this: Your child, while surfing the Web, clicks a thumbnail picture to see a full-size version. But instead of showing the image, the PC just sits there. By the time you get summoned, the damage has been done. Your machine has been hacked, and an indeterminate number of confidential files are winging their way to an unknown location. This could happen to you if you don't plug a slew of recently discovered holes in Microsoft's software.

The company rolled out 13 patches recently. Five of them block serious security vulnerabilities in Windows, Office, Internet Explorer, Windows Media Player, and MSN Messenger.

Microsoft has labeled all five holes "critical." For example, one flaw could let an attacker send you a program disguised as a Portable Network Graphics (.png) image file. A successful attack would exploit the way your software displays such graphics files. The hole involves Windows Media Player 9, Windows Messenger 4.7 and 5, and MSN Messenger 6.1 and 6.2. All of the apps use the same software to process.png files. (You're safe if you work with an earlier version of WMP, or with either WMP 9 for Windows XP Service Pack 2 or WMP 10.)

You could get into trouble by clicking a link on a malicious Web site or in an HTML e-mail. Once infected, your PC would receive a poisoned PNG file from the attacker's program. Click here for Microsoft's fix. If you don't install the patch, you won't be allowed to log on to MSN Messenger.

Another patch corrects two critical weaknesses in IE. One hole would let a bad guy fool you into thinking you were clicking a safe link by camouflaging the link's real address (a process called "spoofing") and then take over your computer after you clicked it. The other hole takes advantage of the way IE handles dynamic HTML, an extension to the language that Web pages are written in. If you run Windows XP SP2, you are protected from the first flaw--but not from the second one. Both holes affect IE 5.01 through 6 SP1. Click here for the update. For details on all 13 patches, go here and click the security update links for Windows, Office, and MSN Messenger.

If you install the patches, beware: Some people have had troubles after installing them. Head to our blog for users' experiences.

Knowledge Base Reports

How would you like to be notified every time Microsoft publishes a new Knowledge Base article regarding the particular applications that concern you most? KbAlertz.com does just that. The site scans Microsoft's Knowledge Base daily for new or updated articles, and sends out an e-newsletter when anything changes. Sign up for free (at www.kbalertz.com) and specify the Microsoft products that you want to be kept apprised of--operating systems, Office applications, e-mail clients, and other software.

In Brief

Xbox Fire Hazard

Microsoft is replacing the power cords on many of its Xbox game consoles due to a fire hazard. Failures in 30 consoles have resulted in minor burns to owners as well as minor property damage, the company reports. Visit www.xbox.com or call 866/271-0450 to see if your Xbox is affected and to obtain a free replacement cord.

Symantec Fix

Symantec has patched a hole in various programs, including Norton AntiVirus 2004, Norton Internet Security 2004, and Norton SystemWorks 2004, that could let an attacker control your PC. Click here for details.

HP Monitor Recall

Philips is now recalling HP-brand L2035 LCDs due to a possible shock risk. Philips will repair or replace defective units. For details click here or call 800/254-2280.

Bugged?

Found A hardware or software bug? Tell us about it via e-mail at bugs@pcworld.com.