Microsoft Glitches Hamper Critical Fixes
Stuart J. Johnston is a contributing editor for PC World.
Stuart J. Johnston
Illustration by Headcase Design
Take the latest cumulative update for Internet Explorer. Two of its corrections sealed significant holes in IE 7 for both Vista and XP, starting with COM objects (precursors to ActiveX controls). Viewing a site with a poisoned COM object could allow an attacker to take control of your system, although you would have to okay an IE 7 dialog box first.
The second flaw exists in an internal IE function, the property method. An attacker could target the flaw with a specially crafted Web page and hit you with a drive-by download.
The same cumulative update addressed four crucial issues with ActiveX and Active Scripting in IE 6 on Windows XP SP2. When you factor in fixes for critical flaws in IE 5.01 and 6 on Windows 2000 SP4, as well as in IE 6 on Windows XP SP1, it's a patch you'll want from Microsoft Support, if you haven't already received it through Automatic Updates.
Broken IE
It's clear these are must-have patches. But a nasty post-patch surprise awaits some Vista users: IE may fail to start. Here's the problem: If you've changed the location of Vista's Temporary Internet Files folder and employ the antiphishing filter, IE might not be able to use that new folder location. The workaround, described at Microsoft Support Article ID 937409, involves moving the folder back to its original location or changing the permissions on its new location.
On top of that, some Windows XP SP2, Windows 2000 SP4, and Windows Server 2003 users had trouble with Windows Update and Microsoft Update: When Windows scanned automatically for updates, or when the user went to the update site, the PC's CPU sometimes bogged down and became unresponsive.
Bad problem, so Microsoft released a patch. But in some PCs, the hotfix not only failed to work, it caused important system tasks to crash. So Redmond released a second patch that supersedes the first and will be distributed via Automatic Updates through the end of June; it's also available at Microsoft Support Article ID 927891 . We'll see if the second hotfix fully cures the problem.
Office Fix Delayed
After these two strikes, the third swing-and-a-miss came when a problem with Microsoft Update prevented some Office 2007 users from receiving important patches. Microsoft fixed the problem quickly, but the Update snafu caused some people to wait an extra week to receive the patches.
Two of the seven fixed bugs are rated as important for Office 2007. All of them are critical for Office 2000 Service Pack 3, and important for other supported Office versions. Any of these flaws could be hit if you open an e-mailed or downloaded rogue document, and one of the holes is under active attack. So if you are not using Automatic Updates, get the fixes at Microsoft Security Bulletin MS07-025, Security Bulletin MS07-024, and Security Bulletin MS07-023.
These glitches might tempt you to avoid the hassle and stop updating your programs, but remember: A malware infection is much worse.
In Brief
Here are three more fixes to download if you use these products.
Symantec Risk: An ActiveX control added by Norton Personal Firewall 2004 and Norton Internet Security 2004 contains a serious flaw that could permit a takeover of your PC if you use Internet Explorer to open a malicious Web site. For the security fix, either run Symantec LiveUpdate, or pick it up from Symantec Security Response.
Trillian IRC Hole: A risk in Version 3 of the chat client leaves you vulnerable to an attack if you highlight a specially crafted hyperlink sent as part of a message in an IRC chat session. Version 3.1.5.1 closes the hole; download it from Trillian Blogs.
Winamp Fix: Version 5.35 of the media player fixes a flaw that arises if you use the program to open a poisoned MPEG-4 (.mp4) audio or video file downloaded from the Web or received as an e-mail attachment. Get the update from the Winamp site.
BUGGED?
Found A hardware or software bug? Send us an e-mail on it to bugs@pcworld.com.