Illustration: Headcase DesignThe explosion of user-generated multimedia content has made the Web more fun, but unfortunately the bad guys get to play, too. These days some of the easiest venues for an attack are sites that let users post their own material.
For example, the Internet Storm Center, which tracks online assaults, recently reported that criminals used normal JavaScript features in Apple QuickTime movies to launch an attack against a MySpace vulnerability. When users viewed an infected movie on a MySpace page, the video (via the flaw) embedded itself on their own MySpace pages, and replaced their links with pointers to phishing sites. That flaw has since been fixed, but new program vulnerabilities keep the user-posted-content threat alive.
WMP Problems
Microsoft recently patched two critical holes in the way Windows Media Player (6.4 through 10) handles streaming media files with .asf and .asx extensions. An active attack using either hole would set you up for a classic drive-by malware download if you viewed a tainted page in IE (and thereby automatically called up Media Player to play a video or audio file) or otherwise pulled poisoned content directly into WMP. And, according to Microsoft, you have a particular risk of encountering such content on sites "that accept or host user-provided content or advertisements." The flaw affects WMP in Windows 2000 Service Pack 4 through Windows XP SP2; get the fix via Automatic Updates. Version 11 of WMP is not at risk.
At press time neither bug had been exploited--but the proof-of-concept code, often a precursor to an attack, had been posted for one of them.
Hole-y IE 6
Microsoft also patched two critical flaws in Internet Explorer 5.01 through 6.0 SP1 (in Windows 2000 SP4 through XP SP2) that could leave you open to an attack from a poisoned Web site (IE 7 is not vulnerable). Both holes take advantage of memory-corruption errors in the way IE handles scripts. No attacks are known to exist as of yet; but once again the company warns that sites hosting user-provided content are a likely avenue of attack.
Grab the fix through Automatic Updates, or as part of a large, cumulative IE patch.
As for Word, Microsoft is warning about yet another pair of zero-day attacks that try to trick unsuspecting users into opening rigged Word documents. In Windows, the as-yet-unaddressed holes affect Word 2000, 2002, and 2003, plus Word Viewer 2003; for Macs, Word 2004 and Word X are also in danger. Works 2004, 2005, and 2006 are likewise affected.
Ad Choices