Microsoft’s “cute” animations, like the infamous Office Clippy, have aroused more ire than grateful praise, but they didn’t actually do any harm — until now. The part of Windows behind the animated yellow dog helper in Windows search, called Microsoft Agent, gives malicious hackers a route into your PC for spyware or viruses transmitted via a drive-by download.
Agent can also be used by third-party programs for their own help functions. Clippy himself isn’t a risk, but a flaw in the Agent ActiveX control that Internet Explorer 6 uses under Windows XP SP2 and Windows 2000 SP4 means the browser can be overwhelmed by a booby-trapped Agent file (.acf). If you browse a poisoned site that hosts such a file, the ActiveX control will crash, thereby opening the door to an attack program — and you don’t need to click on any of the page’s content.
IE 7 isn’t vulnerable to this flaw; to protect yourself, upgrade your browser or download the critical patch from Microsoft through Automatic Updates. Or get the patch and more info at Microsoft Technet . At press time we had not seen any reports of active attacks using this hole.
Clippy’s cousins aren’t the only pieces of old-school animation coming back to haunt users. Two dangerous IE 6 flaws in Microsoft DirectAnimation were hit with zero-day attacks before Microsoft released a patch. Although DirectAnimation has been superseded by DirectX for showing animations in the browser, it remains in IE — a little like people’s tailbones.
Again, if you just view a doctored Web page, you’ll be hit by a drive-by download. An attack crashes the DirectAnimation ActiveX controls, and can let a bad guy do anything on your PC that you can do.
If you don’t already have it, you can now get the patch for IE 6 , a fix that basically shuts down the unnecessary DirectAnimation for good.
IE 7 update gotchas
As with the Agent bug, Internet Explorer 7 is safe from this flaw, and the new browser is a good security upgrade. But some typical update glitches have surfaced. Owners of HP printers, scanners, and all-in-one units have discovered that the popular HP Director image management program doesn’t display properly with IE 7. HP’s fix should be available on HP’s Customer Care site by the time you read this; if not, you’ll see a workaround.
QuickBooks 2004 and 2005 are likewise incompatible with IE 7. Browser-based features such as Help and Payroll don’t function with the new browser. On its Web site, Intuit says that it is working on a patch for the 2005 version but notes that in the meantime you’ll need to revert to IE 6. A patch for the 2004 version may not be forthcoming.
In this case, we can’t fault Microsoft. IE 7 was available as a beta for company testing for a long while — so HP and Intuit should have taken care of these compatibility problems before now.
Mozilla ending Firefox 1.5 support
You now have a deadline to upgrade your browser: Mozilla announced that it won’t release any patches for Firefox 1.5 after April 24, 2007. That’s a fast end-of-life given that Firefox 2.0 came out only at the end of October.
The update to version 2 is relatively painless, though, and you’ll want to make sure you can keep getting patches. Mozilla just closed critical holes in Firefox 1.0 and 1.5, in its Thunderbird e-mail software, and in the SeaMonkey applications suite — all share the same problematic code. Move to the newest versions using the programs’ built-in automatic upgrades, or get the latest Mozilla Downloads .
A Month of Bugs
Expect more bug disclosures than ever: Hackers embarked on an escapade to find and publicize one new bug in kernels (the heart of operating systems) every day during November. Online attackers had a months-long romp creating exploits for browser bugs published in a similar project last summer. For a peek at what’s in store this time, check out the Month of Kernel Bugs (MoKB) archive .
Bugged?
Found a hardware or software bug? Send us an e-mail on it to bugs@pcworld.com .