• PC World
• »Security

Here's a perfect example of why you need the critical Internet Explorer fixes for this (and every) month: Thousands of legitimate sites were recently hijacked by online thugs who used MPack, the "latest and greatest tool" for sale by the Russian underworld, according to Ken Dunham, an engineer with VeriSign's iDefense.

The kit, which costs approximately $500 to $1000, loads a hijacked site with a range of attacks. You can expect MPack and other Web attacks to strike certain IE flaws--fixed by Microsoft in a cumulative patch this month--soon, If they haven't already.

The security problems affect IE 6 or 7 on Windows XP SP2, IE 7 on Vista, and IE 5.01 or 6 SP1 on Windows 2000 SP4; and they leave you vulnerable to at least one critical bug that can give an attacker control of your PC if you view a poisoned Web page. Make sure you've patched via Automatic Updates.

Even if you don't use IE, a hacker can exploit two other flaws with a rigged site to achieve much the same result. XP SP2 has a problem handling encrypted Web connections using Secure Sockets Layer and Transport Level Security. Windows 2000 and Server 2003 are also affected, but the bug can annoy those OSs only by breaking encrypted connections or forcing your PC to restart. Patch via Automatic Updates.

Finally, Windows 2000, XP SP2, and Server 2003 are vulnerable to attacks against a Win32 API component of the OS. Head to Automatic Updates for the fix.

Vista E-Mail Problem

Your clicking a link in a doctored e-mail message in Windows Mail can allow an attacker to run any command on your PC if you haven't fixed this critical bug. Hackers have already posted sample attack code on the Web, so get the patch from Automatic Updates. The bug affects Outlook Express 6 on XP, too, but for that program it's rated as only important (not critical).