Media players are a necessary part of today’s digital-entertainment world, but they give crooks another entry into your system. Case in point: critical holes found in Adobe’s Macromedia Flash Player and in Apple’s QuickTime media player. An exploit of either bug could enable hackers to hit you with a drive-by malware download.
This article appears in the October 06 issue of PC Advisor, which is available now in all good newsagents.
Bugged versions of Flash Player 4.0, 5.0 and 6.0 accompanied virtually every copy of Windows, from the first edition of Windows 98 right up to XP SP2. The only exceptions are Windows 2000, XP Pro x64 and Windows Server 2003. All versions before 8.0.22 are at risk.
Because of this vulnerability, if you simply view a poisoned website or email message containing a doctored flash movie (.swf) file, the player will crash due to a buffer overflow and the corrupted file can run any command its perpetrator wants it to: download spyware or erase files.
No attacks had been reported at the time of writing, but don’t take any chances. Update the Microsoft-redistributed versions via Automatic Updates, or get version 9.0 from Adobe at www.adobe.com/products/flashplayer (Windows only), if you’ve already upgraded from older versions.
Meanwhile, Apple has patched 12 critical holes in its own player with QuickTime 7.1 (for Windows and Mac OS).
As with the Flash bugs, these vulnerabilities could cost you control of your PC if you view a poisoned media file in QuickTime, but a range of movie and image file types may be used, including Jpeg, bitmap, AVI, Mpeg and QuickTime.
Beware Word documents
Crooks have targeted a serious hole in Microsoft Word, sending corrupted .doc files in email attachments to invade vulnerable PCs. Some of the email messages have subject lines such as ‘Notice’ and ‘RE: Plan for final agreement’.
Microsoft has patched the vulnerability in Word XP and Word 2003. The patch has been available via Automatic Updates since June 06.
So far, the number of known attacks is small but, as always, be extra careful with email attachments, even if they purport to be from someone you know.