The popularity of high-speed internet connections and increasingly fast processors has made streaming video and audio a reality for most people. Nearly every news website features links to video of current events. Sometimes such videos are cued to play automatically when you visit a particular page. But our growing reliance on the web to provide news and entertainment in this format also raises our odds of being tricked into triggering an attack through such streamed files.
Case in point: Microsoft just patched a hole in the way that Windows Media Player handles AVI videos, a flaw that could permit an attack program to infiltrate your PC. To display the AVI files, WMP uses a playback technology called DirectShow, a component of Windows DirectX that enables hardware acceleration features and allows applications to display graphics. Without the patch, DirectX versions 7.0 through 9.0c running under Windows 98 through XP SP2 are vulnerable to the flaw.
A researcher at eEye Digital Security identified a way that a bad guy could booby-trap a seemingly benign AVI. The attacker could then embed the poisoned file in a web page and set it to autoplay in the background, or send it to unsuspecting users as an attachment or a link in an email message. To get you to click, the file could have a title intended to pique your curiosity (say, "Funny Beer Commercial"). But if you clicked, the joke would be on you.
As the poisoned file runs, it purposely sends too much data to the software responsible for playing AVIs in Windows (usually WMP), causing the program to crash and in the process enabling the attacker's hijack code to take over your computer. Play it safe and download the update at Microsoft Security Bulletin MS05-050.
Danger in IE 6.0
Microsoft also patched a hole in Internet Explorer 6.0 affecting Windows 98 through XP SP2. The problem has to do with IE mistakenly running certain special communications programs, called COM objects, that Windows uses to swap data between applications, often on different systems. Some COM objects can run in IE, but others should run only in Windows.
A crook could lure you to a web page rigged with code that tricks IE into running a specially crafted COM object. This could cause IE to crash and begin running code that could take over your PC.
Microsoft says real-world exploits that take advantage of this flaw already exist. Head to Cumulative Security Update for Internet Explorer and download the patch. It is also a cumulative IE update that contains all security patches ever released for IE 6.0.
In brief: Skype patch
Skype has plugged a hole in its VoIP (Voice-over-IP) software (which lets you make free or low-cost phone calls worldwide over the internet) that could let an attacker control your PC. Attackers gain entry into your computer if you click the wrong link on a web page or in an email, or if you open a booby-trapped electronic business card called a vCard (a file format standard for exchanging address book information through e-mail). Locate the patch at Skype.
Problems with iTunes media player
Many iTunes users are encountering problems when they install version 6.0 on PCs running Norton Internet Security. Apple's support page indicates that you may need to temporarily disable your antivirus software to install iTunes - but disconnect your PC from the web first. Meanwhile, some customers are having issues with iTunes 6.0 and QuickTime 7.0. One solution, several users say, is to uninstall and then reinstall both programs.
However, these fixes only sometimes repair the glitch. Apple says it is still investigating the problems. Symantec reports no clashes between NIS and iTunes.