We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Windows flaw makes surfing riskier

Attackers have been using increasingly novel means to break into Windows systems, such as introducing doctored media files. Now joining that roster of dirty tricks are booby-trapped text fonts in web pages.

This column appears in the June 06 issue of PC Advisor, available now.

The bug sleuths at eEye Digital Security found a way to breach Windows' security by exploiting a flaw in the way the OS displays text on websites. Web designers often use embedded fonts to guarantee that the text on a page will be identical in every browser.

All a cyberthug has to do is create a corrupted font on a website and wait for unsuspecting visitors. When you view the affected font in Internet Explorer – or in any app that uses Windows to show the fonts in question – the doctored text triggers a buffer overflow, disabling your PC's security and allowing the thug to then take control of your computer. Reading or even just previewing an affected HTML email in Outlook or Outlook Express can be enough to launch the attack.

This flaw affects all versions of Windows, from Windows 98 through XP SP2, which means the majority of people online are at risk. Microsoft has distributed the patch via Windows Update. You can get it here.

The discovery follows a recent rash of attacks that exploited holes in the way Windows displays certain types of images embedded in web pages. Smart crackers figured out how to use WMF (Windows metafile) images to disable a PC's security.

More than ever, it pays to be careful what you click. These vulnerabilities are especially troubling because you can compromise your system just by looking at a poisoned email message or web page.

Block Outlook hole

A separate vulnerability affecting Outlook 2000, XP or 2003 users may give a hacker control of your system as well. Again, you simply have to open or preview a doctored email to be compromised. Outlook's mishandling of a file format called TNEF (Transport Neutral Encapsulation Format) is to blame. The problem is 'critical' in Microsoft’s eyes because the app uses TNEF when it sends or receives email in the commonly used RTF (Rich Text Format).

You can download it here.

IDG UK Sites

Best Black Friday 2014 tech deals: Get bargains on smartphones, tablets, laptops and more

IDG UK Sites

What the Internet of Things will look like in 2015: homes will get smarter, people might get fitter

IDG UK Sites

See how Trunk's animated ad helped Ade Edmondson plug The Car Buying Service

IDG UK Sites

Yosemite tips: Complete Guide to OS X Yosemite