Microsoft security goes to the dogs


Microsoft would probably disagree that October is the cruellest month. No one ever said the company's core programs were bug-free, but August's string of embarrassing revelations has left little doubt that the software is less than secure when it comes to Net surfing. If you use Internet Explorer, Windows, Office, or MSN Messenger chat software, assume that your system is wide open to hackers. The sad details:

Georgi Guninski, the Bulgarian browser-security expert who never sleeps, found yet another flaw in Internet Explorer 5's ActiveX system that could allow a malicious hacker to take full control of your computer through an HTML e-mail message or Web page.

Microsoft promptly posted its "Scriptlet.typelib" and "Eyedog" vulnerability updates. You can find the patches at www.microsoft.com/windows/ie/security/default.asp. The fixes disable two flawed ActiveX controls that allow an attack.

Java security experts at Xerox PARC report that Microsoft's Java Virtual Machine ù the software that allows mostly Web-based Java programs to run under Windows, IE, and other apps, including Qualcomm's Eudora ù is vulnerable to the same type of attack Guninski found. However, unlike the ActiveX hole, the Java problem exists in IE 4.x as well.

Microsoft's Virtual Machine page has links to a 6.3MB patch for Windows 95/98 and a 4.4MB patch for Windows NT 4. Go to www.microsoft.com/java/vm/dl_vm32.htm.

Office 97 and 2000 users are vulnerable to a security flaw in Excel's ODBC (Open Database Connectivity) driver. With the right embedded commands, an Excel spreadsheet attached to an e-mail message or downloaded from the Net could take virtually any action on the user's computer, says Microsoft. Find a link to a 2.8MB Excel 97 fix at officeupdate.microsoft.com/downloadDetails/excel97odbc.htm; the 2.8MB Excel 2000 patch is at officeupdate.microsoft.com/2000/downloadDetails/excel2000odbc.htm.

If you use Microsoft's MSN Messenger 1 chat program, and you have a HotMail account, be careful about your online activities. Anybody who has access to your computer and knows the right place to look can discover your HotMail password while you're in the loo. Visit messenger.msn.com/download/download.asp to download and install the latest version of MSN Messenger.

- Scott Spanbauer


Category:Bugs & Fixes
Issue: December 1999

These Web pages are produced by Australian PC World © 1999 IDG Communications