Illustration: Headcase Design
I bet you never thought the album art that Windows Media Player shows while playing your favorite music could be the key to letting an attacker trash your computer. Or that downloading a new "skin" to change WMP's looks could open the door to your PC. But due to a problem with the way the player handles bitmapped images (.bmp files), that's just what might happen.
An attacker could use this hole to bypass your system's security and do anything from planting spyware to reformatting your hard disk for the heck of it. Aside from viewing poisoned photos of your favorite artists, or downloading music or a new skin from a questionable site, you can also be infected in more traditional ways, such as via booby-trapped links on a Web site or an HTML e-mail.
The bitmap image format is one of the most common. Unfortunately, the part of WMP that handles the display of bitmaps has a flaw that permits a malicious cracker to send you a file that literally drowns it with data. WMP then crashes, passing control of your PC over to whatever commands or programs your attacker has queued to hit next.
Microsoft has distributed a patch to address this critical problem via Windows Update; you can also download it here. All versions of WMP from 7.01 through 10 are at risk (but not earlier versions).
Don't delay in patching: At least two sites have already published code that takes advantage of this WMP hole, and it won't take a lot of effort to turn that code into a prefab component for use in a dangerous worm or virus.
Java Holes
Meanwhile, Sun is dealing with its own security problems in its Java Runtime Environment, the so-called virtual machine that allows you to run Java programs. You most commonly get JRE as a plug-in so your browser can run Java applets.
A number of flaws could potentially let a cyberthug execute whatever code they want just by tricking you into clicking on a malicious link.
To check your JRE version, click Start And select Run; type CMD and click OK. At the DOS prompt, type java -fullversion and press Return. You're safe if you have J2SE (Java 2 Standard Edition) 5.0 Update 6 (which shows as 1.5.0_06) or J2SE 1.4.2_11--both already contain the updated JREs. If you don't, click here for Sun's advisory and to download the patched updates.
Ad Choices