Bugs and Fixes: Windows Flaw Makes Shopping Risky

We have grown to believe that if we see the little padlock icon at the bottom of Internet Explorer screens, our transactions are safe. However, in light of a new discovery we can no longer be sure: Microsoft recently admitted that fundamental problems exist in the way Windows handles encryption of secure Web sessions via the Secure Sockets Layer protocol.

Even though fooling the SSL protection is hard, security researcher Mike Benham found a way to crack it. The trouble? In theory, an attacker taking advantage of the flaw could entice you to a phony Web site that poses as the real thing--say, a shopping site that you usually trust--and persuade you to provide sensitive information, like your credit card details.

Before you panic, note that nobody has been stung by this flaw to date. But even so, you should install Microsoft's patch.

A number of other Microsoft products have security woes as well. The company released another cumulative patch for Internet Explorer that affects versions 5.01, 5.5, and 6.0. It also plugs six new vulnerabilities; one of the most serious flaws could allow a miscreant to execute commands on your system. The patch includes the fix that we've been awaiting for the hole in Gopher, too.

Big Fix for Office XP

Microsoft also shipped Service Pack 2 for Office XP. SP-2 corrects all previously known bugs in Office XP, so if you've put off installing the earlier individual fixes, you're in luck--now you can handle all of them at once.

Besides addressing a number of security holes in Office XP, SP-2 fixes various minor annoyances. One such irritation: If you have Word 2002's spelling and grammar dialog box open and you press the Esc key, the application will hang. Another glitch: Excel 2002 freezes up in certain situations.

Office Web Component Holes

The same day that Microsoft released Service Pack 2 for Office XP, the company announced yet another patch for Office XP and several additional Microsoft products, including Office 2000. The separate patch repairs three freshly discovered security holes. These vulnerabilities could leave your system under the control of Web villains who could take charge of your hard drive. (If you're an Office XP user, SP-2 has these three holes covered; you won't have to install SP-2 and then apply a different patch.)

The three newly discovered security holes aren't limited to Office XP, however. Anyone who uses Office 2000, Money 2002 or 2003, or Microsoft Project 2002, and has installed Microsoft's Office Web Components is at risk.

Microsoft rated these holes as "critical" on its severity rating scale, so be sure to get the patch.