Prevent Attacks Aimed at IE and Windows

Microsoft has fixed a nasty Windows security hole that could hand control of your computer to an attacker. The patch offers welcome relief, because dozens of exploits for this vulnerability have been in circulation for weeks. Download the patch from Microsoft.

The problem lies in the way the Windows graphics engine handles Windows Metafiles (WMF), particularly when those files are displayed in Microsoft's Picture and Fax Viewer. Microsoft created the WMF image file format to simplify the exchange of images between various applications. (This bug is unrelated to a WMF hole that I reported on last month.)

If you view a booby-trapped WMF file on a Web page--say, on a banner ad--or you click a link to a doctored image in an e-mail or instant message, your system could be infected, letting the hacker take over.

All Windows versions from Windows 2000 through XP are at risk. Moreover, XP and Windows Server 2003 are set to display WMF files automatically, according to security firm F-Secure. To change this default, you would need to edit the Windows Registry, a potentially risky process. You are better off installing the patch in order to display such files safely.

Microsoft has also released a patch to take care of two dangerous holes in Internet Explorer that could leave you open to any number of diabolical actions. The flaws affect IE 5.01 through 6 running on Windows 98 SE through XP Service Pack 2. The first problem, similar to an earlier case (see "Defend Your PC Against Video Attacks"), involves IE's ability to run a type of software called a COM object, which wasn't designed to run in IE. Various Windows programs use COM objects to communicate with one another behind the scenes.

The one type of COM object that IE can run is called an ActiveX control. ActiveX controls enable IE to perform special tasks like playing a video in a browser window instead of, say, in a stand-alone media player. An attacker could take advantage of IE's ability to run this kind of COM object by creating one that, when run in IE, could commandeer your PC. You could launch an infection merely by reading an HTML e-mail message or visiting a Web page that contains the malicious COM object.

The patch for the bug described in the January column prevented all attacks Microsoft was aware of at the time, by modifying the Windows Registry to keep a set list of COM objects from running. This new patch does much the same, except that it blocks a new list of COM objects.

Exploits that take advantage of the second IE hole concern the way IE processes the JavaScript Web programming language. With the patch just mentioned, you'll be able to protect your PC. The bug had been known for months, but everyone, including Microsoft, thought it could at worst result in an IE crash. A UK-based researcher, however, discovered a way to use the flaw to take over a computer.

Another patch benefit: It blocks Sony's now-infamous copy-protection rootkit.