A newly discovered security flaw in Internet Explorer 6 is being exploited by virus writers to spread a worm via online advertisements. UK-based technology news site The Register has reported that some of its advertisements have been infected.
The bug is caused by the way iFrames – the HTML commands for displaying frames on a Web page – are processed in IE6. When you click the attack program's link, it triggers a buffer overflow error, causing the browser to fail. A clever attacker can then load his or her own program onto your PC and take over your machine. If you don't click the malicious ad, your computer will not be attacked.
Poeple using Windows XP Service Pack 2 are not affected by the bug. Prior versions of Windows, however, from 98 through XP Service Pack 1, are vulnerable. Users should install Microsoft's patch to block potential attacks. The patch is also a cumulative update for IE, so you will get all the previous patches in this single download.
In addition, Microsoft has released a hotfix for a bug that can cause IE6 to crash if you are running Windows XP Service Pack 2 or Windows XP Tablet PC Edition 2005. The problem will come up only if you try to view a web page that displays vector graphics and you receive an "access violation in Vgx.dll" error.
Because of a security hole, some versions of Sun Microsystems's Java plug-ins (small programs that add Java capabilities to apps such as IE) are susceptible to attacks. The flaw affects Windows and Linux OSs, and IE and Firefox browsers.
The bug could leave you open to a rogue Java applet hiding in an attacker's website. Clicking a poisoned link could let a villain control your PC, steal files, erase data, and upload programs.
Fortunately, the bug doesn't affect all versions of Java: Versions 1.4.2_06, 1.3.1_135.0, and 5.0 are immune. To find out if you have a vulnerable version, go to www.java.com and click the Download button. The site then automatically scans your system; if it finds that you have a buggy version, it will recommend that you download the protected release.
Elsewhere, the Trojan horse Skulls.B has been combined with the worm Cabir.B to create a double threat to Symbian-based mobile phones, such as some Nokia and Siemens AG units. Skulls.B claims to be a free theme manager for your phone. But once loaded, it wipes out all applications, so the phone can only make and receive calls.
It also displays program icons as generic ones. What's more, Skulls.B drops the Cabir.B worm on your phone. If you click the worm's icon, it will try to infect other phones via Bluetooth, if the phone has that feature.
Finally, internet telephony company Skype has updated its Voice-over-Internet-Protocol software to plug a security hole that could let an attacker take over your PC. Clicking a malicious link on a website may trigger a buffer overflow error, and the error could be exploited to run a bad guy's program on your machine.
Skype's VoIP software for Windows allows users to make free voice calls to each other anywhere via the internet. Although Skype is compatible with Linux, Mac and PocketPC operating systems, the bug affects only Skype's Windows version.