We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Windows flaw makes surfing riskier

Make sure your protection is up-to-date

Attackers have been using increasingly novel means to break into Windows systems - for example, using doctored media files like music, web graphics and video. Now joining that roster of dirty tricks are booby-trapped text fonts embedded in web pages.

The bug sleuths at eEye Digital Security found a way to breach Windows' security by exploiting a flaw in how the OS displays text on websites. Web designers often use embedded fonts to guarantee that the text on a page will look the same in every browser.

All a cyberthug has to do is create a corrupted font on a website and wait for unsuspecting visitors. When you view the affected font in Internet Explorer - or in any application that uses Windows to show the fonts in question - the doctored text triggers a buffer overflow, disabling your PC's security and allowing the thug to then take control of your computer. Reading or even just previewing an affected HTML email message in Outlook or Outlook Express can launch the attack too.

This flaw affects all versions of Windows, from Windows 98 through XP Service Pack 2, which means the majority of people online are potentially at risk. Microsoft has distributed the patch via Windows Update.

The discovery follows a recent rash of attacks that exploited holes in the way Windows displays certain types of images embedded in web pages. Smart crackers figured out how to use what are called WMF (Windows Metafile) images to disable a PC's security.

More than ever, it pays to be careful what you click. These vulnerabilities are especially troubling because you can compromise your system just by looking at a poisoned email message or web page.

A separate vulnerability affecting Outlook 2000, XP or 2003 users may give a hacker control of your machine as well. Again, you simply have to open or preview a doctored email to be compromised. Outlook's mishandling of a file format called TNEF (Transport Neutral Encapsulation), is to blame. The problem is "critical" in Microsoft's eyes because the application uses TNEF when it sends or receives email in the commonly used Rich Text Format.

As before, you can run Windows Update to get this patch.

Beware of this Winamp danger: if you open a specially crafted playlist (from a link on a malicious website, for example) with version 5.12 of Winamp, you'll end up with a buffer overflow error that could let the bad guys take over your PC. To get the fix, you need to upgrade to version 5.13 or later.

Microsoft Small Biz Accounting Glitch: if Microsoft Office Small Business Accounting 2006 gives a nondescript error and crashes every time you start it, reinstall the program's Service Pack 1.

Symantec has released patches to fix a hole in the way its antivirus software library handles certain compressed files.

If a hacker hides a booby trap inside a file or email attachment ending with .rar, the library unwittingly launches the attack when it scans the file, running any command the hacker wants. Most of Symantec's products use the affected library.

To plug this hole, manually run Symantec LiveUpdate (by clicking LiveUpdate in the toolbar) to make sure you have the necessary patch. Repeat, if necessary, until you have all available updates.


IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite