The popularity of high-speed Internet connections and increasingly fast processors has made streaming video and audio a reality for most people. Nearly every news Web site features links to video of current events. Sometimes such videos are cued to play automatically when you visit a particular page. But our growing reliance on the Web to provide news and entertainment in this format also raises our odds of being tricked into triggering an attack through such streamed files.

Case in point: Microsoft just patched a hole in the way that Windows Media Player handles AVI videos, a flaw that could permit an attack program to infiltrate your PC. To display the AVI files, WMP uses a playback technology called DirectShow, a component of Windows DirectX that enables hardware acceleration features and allows applications to display graphics. Without the patch, DirectX versions 7 through 9.0c running under Windows 98 through XP Service Pack 2 are vulnerable to the flaw.

A researcher at eEye Digital Security identified a way that a bad guy could booby-trap a seemingly benign AVI. The attacker could then embed the poisoned file in a Web page and set it to autoplay in the background, or send it to unsuspecting users as an attachment or a link in an e-mail message. To get you to click, the file could have a title intended to pique your curiosity (say, "Funny Beer Commercial"). But if you clicked, the joke would be on you.

As the poisoned file runs, it purposely sends too much data to the software responsible for playing AVIs in Windows (usually WMP), causing the program to crash and in the process enabling the attacker's hijack code to take over your computer. Play it safe and download the update at Microsoft Security Bulletin MS05-050.

Danger in IE 6

Microsoft also patched a hole in Internet Explorer 6 affecting Windows 98 through XP SP2. The problem has to do with IE mistakenly running certain special communications programs, called COM objects, that Windows uses to swap data between applications, often on different systems. Some COM objects can run in IE, but others should run only in Windows.

A crook could lure you to a Web page rigged with code that tricks IE into running a specially crafted COM object. This could cause IE to crash and begin running code that could take over your PC.

Microsoft says real-world exploits that take advantage of this flaw already exist. Head to Cumulative Security Update for Internet Explorer and download the patch. It is also a cumulative IE update that contains all security patches ever released for IE 6.