Flaw in Microsoft security program may cause serious threat


A new flaw in Microsoft security software turns the software that’s supposed to be protecting you into a threat.

This critical hole appears in Microsoft’s Malware Protection Engine, a part of Windows Defender and Windows Live OneCare, as well as of the Microsoft Antigen and Microsoft Forefront Security business programs. Through it, attackers could take over a vulnerable PC running the security software on any supported version of Windows, including Vista, if one of the affected programs scans a doctored PDF file sent as an e-mail attachment or downloaded from the Web.

No active attacks against this hole are known to exist, but if you haven’t already received the fix through Automatic Updates, get it now .

Microsoft also patched a fistful of critical holes affecting Internet Explorer 6. Some of the flaws actually reside in Windows, but all create the risk of drive-by downloads if you browse a poisoned site with IE 6 on Windows 2000 SP4 through XP SP2. Vista is not affected, and IE 7 offers additional protection by requiring multiple confirmations to run ActiveX. All the patches have been distributed via Automatic Updates; the fixes appear to have come out before any known attacks.

The first two fixes close holes in two different ActiveX controls used by Windows (and loadable by IE) for HTML Help and Microsoft Data Access Components . The second two repair flaws involving IE’s handling of COM objects. At Microsoft’s site you can get details on the COM flaws , along with info on the final hole, which can be targeted if you click a poisoned FTP (file transfer protocol) link in an e-mail or on a hacked site.

Office attacks

Just as Microsoft thought it had fixed the last of a string of exploited holes in its Office applications, another one popped up. The fixed portions (distributed via Automatic Updates) close vulnerabilities considered critical in Word 2000 and rated important in Works and in other Word versions. The new, as-yet-unpatched bug is rated the same, and involves the usual tainted e-mail attachments or downloaded file.

Vista photo gotchas, software fix

If you create digital photo tags using Microsoft’s Photo Info program in Vista, existing tags can become unreadable. Worse yet, photos in Nikon’s raw format can become unviewable.

Until camera companies provide driver updates, the workaround is, first, to avoid using the Photo Acquisition Wizard. Instead, use the camera maker’s software to upload pics, or drag and drop them directly from the camera. Second, don’t use Windows Photo Gallery or Windows Explorer to edit photo tags or properties. In other Vista news, a compatibility patch allows a slew of older programs and games to run under the OS. Visit Microsoft’s site for the fix and the list of affected software .

Costlier support

Vista buyers receive free support for 90 days from the activation date, after which calls will cost $59 per incident . XP support has changed as well: You get two free support calls, and then must pay $59 per call (up from $35).

Firefox update

New versions of Firefox (2.0.02 and and Thunderbird ( close a number of holes, two of which are critical. Upgrade via either program’s automatic update feature, and obtain more information from Mozilla’s site .

Google Desktop fix

Researchers discovered that an infected Web site or e-mail could trick Google Desktop into divulging your data . If Google’s auto-update fix (to 5.0.701.30540) didn’t reach you, grab the new version from the Desktop site.