In keeping with what is now a regrettably familiar pattern, hackers launched a zero-day attack on a hole that one of the fixes addressed, before the patch could be released. This exploit was designed to target the Windows "Server service," which handles file and printer sharing in Windows 2000 Service Pack 4 through Windows Server 2003 as well as in Windows XP SP1 and SP2.
Because the Server service typically runs on PCs that are waiting for connections, clever crackers figured out how to send bogus commands over the Internet to infect vulnerable machines. The attack uses a buffer overflow strategy and can take over your PC without your having to surf the Web, read e-mail, or click anything. It proved scary enough to spur the Department of Homeland Security to release an alert of its own asking everyone to install the relevant patch as quickly as possible--something the DHS has never done before.
Fortunately, you can lessen your risk by activating a firewall, which blocks unknown incoming Internet connections. Windows XP SP2 has its firewall on by default, as do most broadband routers. This is still a dangerous hole, though, so be sure to obtain and install this patch through Automatic Updates. Alternatively, you can get it--along with additional information--from Microsoft Security Bulletin MS06-040 ("Vulnerability in Server Service Could Allow Remote Code Execution").
Shortly after releasing a cumulative update for Internet Explorer 6.0 SP1 that patched six critical holes, Microsoft discovered a problem. The new patch introduced a bug that crashed IE under certain circumstances--such as when running CRM (customer relationship management) applications like PeopleSoft and Siebel. At about the same time, eEye Digital Security, a security research firm, discovered that an attacker could take advantage of the crashes to commandeer a computer running Windows 2000 SP4 or XP SP1 (though not SP2). Two weeks later, Redmond released an updated patch.
Grab the fixed fix, which includes the cumulative updates of the previous patch, over Automatic Updates or from Microsoft Security Bulletin MS06-042 ("Cumulative Security Update for Internet Explorer").
This latest batch of critical Microsoft patches corrects a number of additional security holes in Windows dial-up connections, Outlook Express HTML e-mail, and more. Also included are two more patches for Microsoft Office. To get the complete rundown, see Microsoft Security Bulletin Summary for August, 2006.
When Microsoft releases Internet Explorer 7 for Windows XP this quarter, the company will mark the new browser as a "high-priority" update via Automatic Updates because of new security features such as better ActiveX handling. But according to the company, you can decide whether to install it when prompted to do so by an initial welcome screen. For more details, go to IEBlog.
Found a hardware or software bug? Send us e-mail on it at bugs@pcworld.com.
Although many online reviews rate it highly, some users of Webroot's Spysweeper 5.0 complain that the new version slows down their PC. Webroot's Support Q&A says that such problems may be due to 5.0's need for more RAM. To improve performance, the company recommends installing version 5.0.7, build 1608, and turning off the Keylogger Shield. Get the update and more info at Webroot Support Center. As a worst-case solution, Webroot recommends rolling back to version 4.5.
Hackers recently sent out poisoned e-mail attachments to hit a critical Word 2000 security hole before a patch was available. As usual, you should be extremely suspicious of unsolicited attachments. Microsoft will distribute the patch, once it's ready, via Automatic Updates. For more information and for a link to a free workaround that involves using Word Viewer 2003, browse to Microsoft Security Advisory 925059 ("Vulnerability in Word Could Allow Remote Code Execution").
Stuart J. Johnston
