Plus: Mozilla security woes, Java holes – and short battery life.
This article appears in the July 06 issue of PC Advisor, available in all good newsagents.
I bet you never thought the pictures WMP (Windows Media Player) displays while playing your favourite music could be the key to letting a hacker trash your computer. Or that downloading a skin to change WMP's looks could open the door to your PC. But because of a problem with the handling of bitmapped images, that's what might happen.
An attacker could use this hole to bypass your system's security and do anything, from planting spyware to reformatting your hard disk, just for the heck of it. Aside from viewing poisoned photos of your favourite artists, or downloading music or skins from a questionable site, you can be infected in more traditional ways, such as via booby-trapped links on a website or email.
The bitmap image format is one of the more common. Unfortunately, the part of WMP that handles the display of bitmaps has a flaw that permits a malicious hacker to send you a file that drowns it with data. WMP then crashes, passing control of your PC over to whatever commands or programs your attacker has cued to hit next.
Microsoft has distributed a patch to address this critical problem via Windows Update. All versions of WMP from 7.01-10.0 are at risk. Don't delay in patching: at least two sites have published code that takes advantage of this WMP hole – and it won't take a lot of effort to turn that code into a pre-fab component for use in a worm or virus.
Meanwhile, Sun is dealing with its own security problems in its JRE (Java Runtime Environment), the virtual machine that allows you to run Java programs. You most commonly get this as a plug-in so your browser can run Java applets.
A number of flaws could potentially let a cyberthug execute whatever code they want, just by tricking you into clicking on a malicious link. To check your JRE version, click Start and select Run; type 'cmd' and click ok. At the DOS prompt, type java -fullversion and press Return. You're safe if you have J2SE (Java 2.0 Standard Edition) 5.0 Update 6.0 (shown as 1.5.0_06) or J2SE 1.4.2_11. If you don't, jump over to sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1 for Sun's advisory and how to download the patched updates.
Buggy Microsoft drive drains laptops
If you're planning to buy a pricey laptop that uses one of Intel's dual-core mobile processors, you may not be getting all the battery life you paid for. The culprit is Microsoft's USB 2.0 ACPI (Advanced Configuration and Power Interface) driver, which was introduced with XP SP2. Ironically, ACPI is meant to help conserve power. But with this bug, using any built-in or external USB 2.0 devices can lead to extra battery drain. Microsoft released a partial workaround for PC makers in July, but it's deemed too complicated and risky for public release. Until there's a patch, save battery life by unplugging USB devices from your laptop when running on the battery.
Researchers recently identified eight security holes in Mozilla's Firefox 1.5 browser and in pre-1.0 versions of Mozilla's SeaMonkey browser and email suite. The holes affect Windows, Linux and Mac users, but earlier Firefox versions are not affected. The worst of these flaws could result in an attacker taking over your system, but Firefox 220.127.116.11 and later or SeaMonkey 1.0 and later are safe. You should receive the Firefox updates automatically if you have at least version 1.5. Otherwise, update Firefox at www.mozilla.com/firefox and SeaMonkey at www.mozilla.org/projects/seamonkey.