Just What Color Is a Security Hole?
Computer attacks in space are no longer the stuff of science fiction: Recently, laptops on the International Space Station turned out to have computer viruses. NASA believes that the malware--a password stealer that targets online games--may have infected the laptops via a USB thumb drive that one of the astronauts carried aboard. While it wasn't much of a threat, it just goes to show that the little buggers are everywhere.
One flaw in the largely forgotten Windows Image Color Management (ICM) system allows a villain to take over your PC if you view a tainted image displayed on a Web page or embedded in an Office document or e-mail. This is one of 19 holes for which Microsoft issued six "critical" patches; attackers could use them for their malicious creations (no booster rocket required). Though ICM (meant to ensure that colors display correctly on different devices) never caught on, the insecure code still resides in Windows 2000 Service Pack 4 (SP4) through XP SP3 and Windows Server 2003. Vista users are safe.
Luckily for us, Microsoft distributed the patch via Automatic Updates before real-world attacks could erupt.
Another must-have patch fixes five major holes in Internet Explorer. Both IE 6 and IE 7 are vulnerable on all supported versions of Windows, from Windows 2000 SP4 through Vista SP1. The flaws allow targeting of an affected PC via, as usual, rigged Web pages or poisoned banner ads. Crackers have published proof-of-concept code online for one of these holes, but no known active attacks have struck against any of them. Before that changes, grab the fix from Automatic Updates or from Microsoft's site.
IE isn't the only browser at risk: On the heels of last month's Opera 9.51 update, the company issued another seven serious security fixes in version 9.52, along with a fix for a Gmail display problem.
Opera lacks an auto-update feature, so you'll need to download the new version of the browser.
Office Takes a Hit
Last month I warned you about an unpatched hole in Microsoft's Snapshot Viewer for the Access database, which could allow a crook to nail anyone with a vulnerable version of Office with Access or an Internet Explorer plug-in that displays database reports. Office 2000, 2002 (XP), and 2003 are at risk, but not Office 2007.
Microsoft has since released a patch batch, and it closes similar holes that are rated "critical" for Excel and PowerPoint 2000, along with three other critical flaws in Excel and two PowerPoint bugs.
Yet another Office 2000 patch corrects five security glitches in various filters for importing .eps, .bmp, and .pict graphics files into Office. Grab all the fixes using Automatic Updates, or get the Snapshot patch and the Excel fix from Microsoft's site.