Bugs and Fixes: A Bonanza of Browser Bug Fixes
This month brings us significant browser security updates--or new versions--from Microsoft, Google, and Apple.
Internet Explorer 8, released in March, will appear as a high-priority update if you run Windows Update, but Microsoft says you'll be able to skip it even if you have Automatic Updates set to install applications without asking permission.
Some sites, including those within a company intranet, might not look right in IE 8, even when you use the compatibility mode. But you can always use Add or Remove Programs to uninstall the new version and roll back to IE 7, and IE 8 has several security enhancements.
Chrome users may have received a new version automatically without even realizing it. Google quietly distributed Chrome 2.0, which offers a full-screen mode and an improved new-tab page. The basic look and feel haven't changed. An auto-update released just prior to Chrome 2.0 fixed one critical security flaw that attackers could target with specially crafted images, and another that involves how the browser handles tabs.
If you use automatic updates, you likely have 2.0. To check, click the wrench icon in the upper-right and pick About Chrome.
Not to be left out, Apple issued a Safari update. Version 3 and version 4 beta (offered as the current download) require updates to close three holes in both the Mac and Windows versions. The flaws could allow "arbitrary code execution" if you visit a malicious Web page designed to target them. Run Apple Software Update to make sure you're current.
Microsoft QuickTime Problem
An as-yet-unpatched hole relates to how the Microsoft DirectShow framework for multimedia handles QuickTime content. You could trigger the flaw in Windows XP, 2000, and Server 2003 by opening a poisoned QuickTime file or by visiting a tainted Web site; the problem doesn't involve Apple software. Crooks can exploit the hole in quartz.dll and take control of a vulnerable PC regardless of whether you've installed QuickTime, Microsoft says. Vista, Server 2008, and Windows 7 are not affected.
A patch may be out by the time you read this; but if not, head to this Microsoft help page for a temporary fix. Click the Fix it button under ‘Enable workaround' to download a small file that modifies the Registry to prevent quartz.dll from handling QuickTime files. The ‘Disable workaround' Fix it button will undo the change.
Microsoft's only regularly scheduled patch this month addresses holes in PowerPoint. It's a fix you'll want to have. The patch shores up a previously targeted zero-day hole in Office 2000, XP, 2003, and 2007, as well as in PowerPoint Viewer, Office Compatibility Pack, and Works software. Updates for Office for Mac 2004 and 2008 are still to come. Get this PowerPoint fix via Automatic Updates.
Mac OS X Update
Mac users have plenty more to patch than Windows users this month. The Mac OS X 10.5.7 update includes the aforementioned Safari fixes, along with a wide range of patches for other flaws that let an attacker control a Mac when the victim opens a specially made file or visits a poisoned Web page. It also includes improvements and bug fixes for nonsecurity issues such as video playback, network performance, and printing reliability. Run Time Machine for a backup as Apple recommends, and then choose Software Update from the Apple menu to start the upgrade. You can also get the stand-alone update installer from Apple's downloads page.
Another Patch for Adobe Acrobat and Reader
Because no patch cycle would be complete without a fix for the seemingly always-under-attack Adobe Acrobat and Reader, that company released a 9.1.1 update for both Reader and Acrobat 9.1. If you're stuck with earlier versions, you can grab fixes for version 7 (to 7.1.2) or 8 (to 8.1.5) also. Crooks have proven more than willing to go after Adobe flaws with malicious .pdf files, as well as with hacked Web sites that target browser plug-ins. Make sure you have the latest program by selecting Help, Check for Updates. You can also click Preferences in the resultant pop-up to verify that Reader is set to check for patches automatically.