Defend Your PC Against Video Attacks

• Previous message: Imhotep: "Firefox 1.5 Release Candidate 3"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 19 Nov 2005 13:41:17 -0800

http://edition.cnn.com/2005/WORLD/europe/11/18/torture.vp/index.html

Defend Your PC Against Video Attacks
Plus: Fix iTunes installation woes, and patch an Internet Explorer 6
security flaw.

PC World
Friday, November 18, 2005; 12:10 AM

In Brief: Skype Patch

The popularity of high-speed Internet connections and increasingly fast
processors has made streaming video and audio a reality for most
people. Nearly every news Web site features links to video of current
events. Sometimes such videos are cued to play automatically when you
visit a particular page. But our growing reliance on the Web to provide
news and entertainment in this format also raises our odds of being
tricked into triggering an attack through such streamed files.
QUIZ

What high-tech gadget was not mentioned in the National Retail
Federation's annual list of the top 10 toys for the holidays?
A. iPods and MP3 players
B. Xbox
C. Video games
D. TiVo

· Test Your Knowledge -- More Questions
· Submit Your Trivia Questions

Who's Blogging?
Read what bloggers are saying about this article.
        The Dark Citadel - My Blog: Political, Scientific, and Otherwise
 Full List of Blogs (1 links) »
Most Blogged About Articles
 On washingtonpost.com | On the web

Case in point: Microsoft just patched a hole in the way that Windows
Media Player handles AVI videos, a flaw that could permit an attack
program to infiltrate your PC. To display the AVI files, WMP uses a
playback technology called DirectShow, a component of Windows DirectX
that enables hardware acceleration features and allows applications to
display graphics. Without the patch, DirectX versions 7 through 9.0c
running under Windows 98 through XP Service Pack 2 are vulnerable to
the flaw.

A researcher at eEye Digital Security identified a way that a bad guy
could booby-trap a seemingly benign AVI. The attacker could then embed
the poisoned file in a Web page and set it to autoplay in the
background, or send it to unsuspecting users as an attachment or a link
in an e-mail message. To get you to click, the file could have a title
intended to pique your curiosity (say, "Funny Beer Commercial"). But if
you clicked, the joke would be on you.

As the poisoned file runs, it purposely sends too much data to the
software responsible for playing AVIs in Windows (usually WMP), causing
the program to crash and in the process enabling the attacker's hijack
code to take over your computer. Play it safe and download the update
at Microsoft Security Bulletin MS05-050 .

Microsoft also patched a hole in Internet Explorer 6 affecting Windows
98 through XP SP2. The problem has to do with IE mistakenly running
certain special communications programs, called COM objects, that
Windows uses to swap data between applications, often on different
systems. Some COM objects can run in IE, but others should run only in
Windows.

A crook could lure you to a Web page rigged with code that tricks IE
into running a specially crafted COM object. This could cause IE to
crash and begin running code that could take over your PC.

Microsoft says real-world exploits that take advantage of this flaw
already exist. Head to Cumulative Security Update for Internet Explorer
and download the patch. It is also a cumulative IE update that contains
all security patches ever released for IE 6.

Skype has plugged a hole in its Voice-over-IP software (which lets you
make free or low-cost phone calls worldwide over the Internet) that
could let an attacker control your PC. Attackers gain entry into your
computer if you click the wrong link on a Web page or in an e-mail, or
if you open a booby-trapped electronic business card called a vCard (a
file format standard for exchanging address book information through
e-mail). Locate the patch at Skype .

Problems With iTunes Media Player

Many iTunes users are encountering problems when they install version 6
on PCs running Norton Internet Security. Apple's support page indicates
that you may need to temporarily disable your antivirus software to
install iTunes--but disconnect your PC from the Web first. Meanwhile,
some customers are having issues with iTunes 6 and QuickTime 7. One
solution, several users say, is to uninstall and then reinstall both
programs.

However, these fixes only sometimes repair the glitch. Apple says it is
still investigating the problems. Symantec reports no clashes between
NIS and iTunes. Send errors

• Previous message: Imhotep: "Firefox 1.5 Release Candidate 3"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]