Plug Critical Holes in IE and Office

Stuart J. Johnston is a contributing editor for PC World.

Stuart J. Johnston

It's happened again. Crackers recently began exploiting a newly revealed major security bug in Internet Explorer before Microsoft could issue a patch. These so-called zero-day exploits--where less than a day passes between the revelation of a vulnerability and attacks against it--are becoming more frequent. And that's bad news for us all. Security research firm Secunia found this hole, which affects virtually all versions of IE, from 5.01 through 6 Service Pack 2. Beta previews of IE 7 that predate March 20, 2006 (build 5335.5 or later) are vulnerable as well.

Though attacks exploiting this breach have been sporadic so far, make sure to get the fix. The flaw opens the door to the dangerous drive-by download attack, where just visiting a malicious Web site can pull viruses and spyware onto your computer--no click required. Simply viewing a corrupt banner ad on a page could trigger the attack routine as well. Here's how the bug works: A booby-trapped site or image sends your system a poisoned "CreateTextRange" JavaScript command that scrambles IE's idea of what's supposed to be where, leaving IE (and Windows) flummoxed. A split second later, the cybervulture's attack program swoops in to carry out whatever nefarious activities the attacker has devised. No matter what the specifics, you'll be the loser.

A bit of good news: Just previewing an Outlook e-mail message containing a link to a malicious site won't trigger the exploit. But the usual warning applies: Never click a link in any message that's even slightly suspicious. Microsoft will distribute a patch via Windows Update by the time you read this. In the meantime, the company's suggested (if draconian) workaround is to disable or prompt for all JavaScript. JavaScript is a type of programming found in many different Web pages, and disabling it means a lot of sites will display incorrectly or may keep you from logging in. To implement the workaround in IE, click Tools, Internet Options, and select the Security tab. Click Internet, Custom Level. Under Settings, in the Scripting section, scroll down to Active Scripting, click either Prompt or Disable, and then click OK.

Two security companies have released their own temporary workaround patches, but analysts recommend using either Microsoft's workaround or an alternate browser such as Firefox or Opera. Microsoft also warns against using third-party patches.

For additional details, see Microsoft's advisory. When it is ready, the patch will be at Microsoft Security Bulletin MS06-013. Of course, all of these problems will be solved by this time next year when Microsoft releases Windows Vista. Right?

Lock the Door to Your Office Suite

Microsoft has patched six--count 'em, six--critical Microsoft Office security holes. For Windows users, these holes are "critical" only for Office 2000, and merely "important" to patch for other versions, says the company. For Mac users, Excel 2004 and Excel X are affected, with the flaws rated as "important."

The patches for the Office 2000 and Outlook 2000 holes, which leave you open to a complete takeover of your PC, automatically distribute via Microsoft Update, as do those for more recent versions including Office XP Service Pack 2 and 3. For other versions, or if you don't use Microsoft Update, get the appropriate patch and more info at Microsoft Security Bulletin MS06-012.

Fix for Sleepy PCs

Rip Van Winkle PCs--those running Windows XP Service Pack 2 that won't wake up from standby or hibernation mode--now have a cure: Microsoft has fixed a glitch with XP's "data execution prevention" security feature. Since the patch isn't security related, you'll need to manually download it from Microsoft's Help and Support.

Real Security Patch

RealNetworks has released a patch for several critical security holes in RealOne Player 1 and 2, Helix Player 1.x, and RealPlayer 8, 10, and 10.5. Windows, Linux, and Mac versions are all at risk. Get the patch at RealNetworks Real Security Updates.

Bugged?

Found a hardware or software bug? Send us an e-mail on it to bugs@pcworld.com.