Just as Microsoft's security mavens celebrated a rare month of no patches, cyberthugs took the wind out of their sails by hitting a serious Windows hole in Vista and XP. Attackers could hijack your PC if you simply viewed a Web site or read an HTML e-mail laced with a poisoned animated-cursor file (.ani).
The flaw can be targeted through browsers, including Internet Explorer (6 and 7) and Firefox, as well as via Outlook versions 2002 SP3 and later, on Windows XP SP2 and Vista systems. Microsoft says that the risk with IE 7 under Vista is mitigated because of IE's protected mode, and that Outlook 2007 is safe because it uses Word to display HTML e-mail.
What galls me is that Microsoft knew about the hole three months before the attacks began. You can get the patch over Microsoft Automatic Updates or at Microsoft's Web site.
IE 7's troubles continue with a proof-of-concept phishing exploit published by security researcher Aviv Raff. Using it, an attacker could fool you and IE with an e-mail or Web link to a doctored error page that, when refreshed as directed, would send you to a phishing site disguised as a legitimate destination. The impostor site would show the real site's URL in the address bar, potentially tricking even careful surfers.
At press time Microsoft had not yet issued a fix; as always your best bet is never to click an e-mail link to access your bank or other financial account, even if you're sure that the e-mail is legit. Instead, type in the address yourself or use a bookmark. For more, including a vulnerability test, see the Secunia Web site.
Caring Too Much
Microsoft has patched a problem with the way its OneCare antivirus application was handling Outlook (.pst) and Outlook Express (.dbx) e-mail files. Instead of pulling out one suspect e-mail, OneCare quarantined the entire message file, making all the user's e-mail seem to vanish.
Versions 1.1.2306.0 and later have the fix, sent through an automatic OneCare update. To get further details, scroll down at the Windows Live OneCare Team Blog.
On a more positive note, Microsoft is shipping another patch batch that improves Vista compatibility for a range of programs, including Trend Micro Internet Security 2007 and Microsoft Money 2006. For the patch and a list of affected apps, see Microsoft's March 2007 Windows Vista Application Compatibility Update. Expect such fixes to be a regular thing.