Thursday, December 21, 2006
11:27 AM | 
Posted by
Sunil Bhaskar |
Microsoft's "cute" animations, like the infamous Office Clippy, have aroused more ire than grateful praise, but they didn't actually do any harm--until now. The part of Windows behind the animated yellow dog helper in Windows search, called Microsoft Agent, gives malicious hackers a route into your PC for spyware or viruses transmitted via a drive-by download. Agent can also be used by third-party programs for their own help functions.
Clippy himself isn't a risk, but a flaw in the Agent ActiveX control that Internet Explorer 6 uses under Windows Xp Sp2 and Windows 2000 Sp4 means the browser can be overwhelmed by a booby-trapped Agent file (.acf). If you browse a poisoned site that hosts such a file, the ActiveX control will crash, thereby opening the door to an attack program--and you don't need to click on any of the page's content. IE 7 isn't vulnerable to this flaw; to protect yourself, upgrade your browser or download the critical patch from Microsoft through Automatic Updates. Or get the patch and more info at Microsoft Technet.
At press time we had not seen any reports of active attacks using this hole. Clippy's cousins aren't the only pieces of old-school animation coming back to haunt users. Two dangerous IE 6 flaws in Microsoft DirectAnimation were hit with zero-day attacks before Microsoft released a patch. Although DirectAnimation has been superseded by DirectX for showing animations in the browser, it remains in IE--a little like people's tailbones. Again, if you just view a doctored Web page, you'll be hit by a drive-by download. An attack crashes the DirectAnimation ActiveX controls, and can let a bad guy do anything on your PC that you can do.
If you don't already have it, you can now get the patch for IE 6, a fix that basically shuts down the unnecessary DirectAnimation for good. As with the Agent bug, Internet Explorer 7 is safe from this flaw, and the new browser is a good security upgrade. But some typical update glitches have surfaced.
Clippy himself isn't a risk, but a flaw in the Agent ActiveX control that Internet Explorer 6 uses under Windows Xp Sp2 and Windows 2000 Sp4 means the browser can be overwhelmed by a booby-trapped Agent file (.acf). If you browse a poisoned site that hosts such a file, the ActiveX control will crash, thereby opening the door to an attack program--and you don't need to click on any of the page's content. IE 7 isn't vulnerable to this flaw; to protect yourself, upgrade your browser or download the critical patch from Microsoft through Automatic Updates. Or get the patch and more info at Microsoft Technet.
At press time we had not seen any reports of active attacks using this hole. Clippy's cousins aren't the only pieces of old-school animation coming back to haunt users. Two dangerous IE 6 flaws in Microsoft DirectAnimation were hit with zero-day attacks before Microsoft released a patch. Although DirectAnimation has been superseded by DirectX for showing animations in the browser, it remains in IE--a little like people's tailbones. Again, if you just view a doctored Web page, you'll be hit by a drive-by download. An attack crashes the DirectAnimation ActiveX controls, and can let a bad guy do anything on your PC that you can do.
If you don't already have it, you can now get the patch for IE 6, a fix that basically shuts down the unnecessary DirectAnimation for good. As with the Agent bug, Internet Explorer 7 is safe from this flaw, and the new browser is a good security upgrade. But some typical update glitches have surfaced.
Labels:
Technical
Subscribe to:
Post Comments (Atom)
1 comments:
UR NEWS IS REALLY MEANINGFUL.......
WIL TRY TO COLELCT SOME USEFUL INFORMATION ............LIKE U DO
WIL HAVE TO LEARN A LOT FROM U AND FROM UR BLOGS DA