Critical Attack Slams Microsoft IE 6 and 7, Outlook

Just as Microsoft’s security mavens celebrated a rare month of no patches, cyberthugs took the wind out of their sails by hitting a serious Windows hole in Vista and XP. Attackers could hijack your PC if you simply view a website or read an HTML e-mail laced with a poisoned animated-cursor file (.ani).

The flaw can be targeted through browsers, including Internet Explorer (6 and 7) and Firefox, as well as via Outlook versions 2002 SP3 and later, on Windows XP SP2 and Vista systems. Microsoft says the risk with IE 7 under Vista is mitigated because of IE’s protected mode, and that Outlook 2007 is safe because it uses Word to display HTML e-mail.

You can get the patch over Microsoft Automatic Updates or at Microsoft’s website.

IE 7’s troubles continue with a proof-of-concept phishing exploit published by security researcher Aviv Raff. Using it, an attacker could fool you and IE with an e-mail or Web link to a doctored error page that, when refreshed as directed, would send you to a phishing site disguised as a legitimate destination. The impostor site would show the real site’s URL in the address bar, potentially tricking even careful surfers.

As of this writing, Microsoft had not yet issued a fix; as always, your best bet is never to click an e-mail link to access your bank or other financial account, even if you’re sure that the e-mail is legit. Instead, type in the address yourself or use a bookmark. For more, including a vulnerability test, see the Secunia website.

Caring too much

Microsoft has patched a problem with the way its OneCare antivirus application was handling Outlook (.pst) and Outlook Express (.dbx) e-mail files. Instead of pulling out one suspect e-mail, OneCare quarantined the entire message file, making all the user’s e-mail seem to vanish.

Versions 1.1.2306.0 and later have the fix, sent through an automatic OneCare update. To get further details, scroll down at the Windows Live OneCare Team Blog.

Microsoft’s March 2007 Windows Vista Application Compatibility Update. Expect such fixes to be a regular thing.

On a more positive note, Microsoft is shipping another patch batch that improves Vista compatibility for a range of programs, including Trend Micro Internet Security 2007 and Microsoft Money 2006. For the patch and a list of affected apps, see

More serious QuickTime flaws

Apple released yet another update to fix multiple dangerous holes in its QuickTime media player software for both Mac and Windows (affecting XP, 2000 and Vista).

The patch closes eight critical vulnerabilities in how the player handles a variety of media files—and annoyingly it will put QuickTime on your desktop and in your system tray whether you want it there or not. An attacker exploiting any of the flaws could hit you with a drive-by download if you visit a rigged site or click on an e-mail link to a poisoned movie, so make sure that you have version 7.1.5 or later. Learn more from Apple’s page on the security content of QuickTime 7.1.5.

More battery woes

Lenovo is recalling and replacing 205,000 (100,000 in the United States) lithium ion laptop batteries for ThinkPads sold between November 2003 and February 2005, due to an overheating problem that can occur if the battery is dropped or hit. To find out if your battery is affected, see Lenovo’s battery recall support page.

Apple OS X bugs

Apple patched 45 bugs in OS X, including several critical security flaws. The new, corrected version is Mac OS X 10.4.9 and Security Update 2007-003.

So long, Firefox 1.5

Two recent patches correct critical security holes in Firefox 2.0 and 1.5 (the fixed versions are 2.0.0.3 and 1.5.0.11). But Mozilla stopped supporting (and fixing) version 1.5 as of April 24, so if you haven’t yet upgraded to version 2, do it now. Find the upgrade at Mozilla’s Firefox site.

-Stuart J. Johnston, PC World