Flash and QuickTime Media Danger

Stuart J. Johnston is a contributing editor for PC World. Click here to see more Bugs and Fixes columns.

Stuart J. Johnston

Illustration by Headcase Design

Media players are a necessary part of today's digital entertainment world, but they also give crooks another entryway into your system. Cases in point: critical holes found in Adobe's Macromedia Flash Player and in Apple's QuickTime media player. A successful exploit of either bug could enable crackers to hit you with a drive-by malware download that you wouldn't soon be able to forget.

Bugged versions of Flash Player 4, 5, and 6 accompanied virtually every copy of Windows, from Windows 98 first edition on up through Windows XP SP2 (as described in Microsoft's Security Bulletin MS06-020). The only exceptions are Windows 2000, Windows XP Pro x64, and Windows Server 2003. According to Adobe, all versions prior to 8.0.22 are at risk.

Because of this vulnerability, if you simply view a poisoned Web site or e-mail message containing a doctored flash movie (.swf) file, the player will crash due to a buffer overflow, and the corrupted file can run any command its perpetrator wants it to: download spyware, erase files, or what have you.

No attacks had been reported at press time, but don't take any chances. Update the Microsoft-redistributed versions via Automatic Updates, or get version 8.0.24 from Adobe if you've already upgraded from older versions.

QuickTime Holes

Meanwhile, Apple has patched 12 critical holes in its own player with QuickTime 7.1 (for Windows and Mac OS). As with the Flash bugs, these vulnerabilities could cost you control of your PC if you view a poisoned media file in QuickTime, but in this case, a range of movie and image file types may be used, including JPEG, BMP, AVI, MPG and QuickTime movies. You can obtain more information and the patched version from Apple.

Beware Word Docs

Crooks have targeted a serious new hole in Microsoft Word, sending corrupted.doc files in e-mail attachments to invade vulnerable PCs. Some of the e-mail messages have subject lines like "Notice" and "RE Plan for final agreement." By the time you read this, Microsoft should have patched the vulnerability in Word XP and Word 2003; the patch should be available via Automatic Updates in June. So far, the number of known attacks is small; but as always, be extra careful with e-mail attachments, even if they purport to be from someone you know. Learn more about the bug from Microsoft's Security Advisory 919637.

WGA Notifications Quietly Installed

Every time you go to Microsoft Update, Microsoft's Windows Genuine Advantage program checks whether your copy of Windows XP is pirated. Now, Microsoft has begun quietly distributing a WGA Notifications program to some users via Automatic Updates.

The problem is, the automated process sometimes gets it wrong, repeatedly sending you a pop-up alert claiming that your legitimate Windows copy is bogus.

For now, Microsoft says, users will have the option of not installing the notifier when it pops up a license agreement for them to accept. At some point it will become mandatory, though. And once installed, the program can't be removed.

Microsoft has a community site to help users who are having problems with WGA.

Mozilla Patches

Mozilla has upgraded its Firefox browser and Thunderbird e-mail program to version 1.5.0.4 to close security holes, some of which could enable an attacker to take control of your PC.

So be sure to say yes when either application prompts you to upgrade via its new (as of version 1.5) automatic update feature. Read more on the patched vulnerabilities here.

HP Camera Recall

Hewlett-Packard is recalling 679,000 HP Photosmart R707 cameras worldwide. A firmware screwup that tries to charge nonrechargeable batteries creates a fire hazard. Download the updated firmware here.

Bugged?

Found a hardware or software bug? Send us an e-mail on it to bugs@pcworld.com.