We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Windows flaw makes surfing riskier

Attackers have been using increasingly novel means to break into Windows systems, such as introducing doctored media files. Now joining that roster of dirty tricks are booby-trapped text fonts in web pages.

This column appears in the June 06 issue of PC Advisor, available now.

The bug sleuths at eEye Digital Security found a way to breach Windows' security by exploiting a flaw in the way the OS displays text on websites. Web designers often use embedded fonts to guarantee that the text on a page will be identical in every browser.

All a cyberthug has to do is create a corrupted font on a website and wait for unsuspecting visitors. When you view the affected font in Internet Explorer – or in any app that uses Windows to show the fonts in question – the doctored text triggers a buffer overflow, disabling your PC's security and allowing the thug to then take control of your computer. Reading or even just previewing an affected HTML email in Outlook or Outlook Express can be enough to launch the attack.

This flaw affects all versions of Windows, from Windows 98 through XP SP2, which means the majority of people online are at risk. Microsoft has distributed the patch via Windows Update. You can get it here.

The discovery follows a recent rash of attacks that exploited holes in the way Windows displays certain types of images embedded in web pages. Smart crackers figured out how to use WMF (Windows metafile) images to disable a PC's security.

More than ever, it pays to be careful what you click. These vulnerabilities are especially troubling because you can compromise your system just by looking at a poisoned email message or web page.

Block Outlook hole

A separate vulnerability affecting Outlook 2000, XP or 2003 users may give a hacker control of your system as well. Again, you simply have to open or preview a doctored email to be compromised. Outlook's mishandling of a file format called TNEF (Transport Neutral Encapsulation Format) is to blame. The problem is 'critical' in Microsoft’s eyes because the app uses TNEF when it sends or receives email in the commonly used RTF (Rich Text Format).

You can download it here.

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model