Sometimes technology seems like a TV hospital drama, with every patient hanging by a thread. All too often, Windows (or one of its main components) is on life support, and you're the physician on call. And this episode could be a season finale: Internet Explorer and Outlook Express require a pair of big, cumulative patches to deal with five really bad bugs, while Windows itself needs attention stat.
The latest IE patch repairs four major glitches in versions 5.01 through 6 that could let a miscreant completely take over your PC or wipe your hard drive clean. With two of these holes, simply visiting a bad guy's website could initiate the attack; you wouldn't even have to click something.
Of course, if you stay away from places you wouldn't want your mother to see, your PC is much less likely to end up in the computer hospital in critical condition. To play it safe, grab Microsoft's patch.
Outlook Express 5.5 and 6 contain a vulnerability that could allow a cracker to cause just as much harm. Merely receiving an e-mail - without opening it - could automatically trigger the attack. But there's a twist: Though the hole is in OE, you're also in danger if you run Outlook 98 through 2002 without a certain update (see below). Why? Because Outlook uses OE to provide some important features. If you run Outlook Express 6 or Outlook 2002 under the default Medium security setting, or Outlook 98 or 2000 with the Outlook Security Update loaded, you can block an automated e-mail attack. But you're still vulnerable to clicking a tarnished link either in an e-mail or on a bad guy's website.
Microsoft also discovered a security threat in its Java Virtual Machine, which has shipped with Windows since Windows 95, as well as with many versions of IE. The VM enables IE, Outlook, and Outlook Express to run Java applets. However, one key feature of the VM is broken: the part that ensures Java applets are not malicious.
Preventive medicine is the best kind. Grab an updated version of the VM.
Bogus security alerts may have viruses
Phoney Microsoft security alert e-mail messages, with fake, possibly virus-laden "patches" attached, are making the rounds. Our tips below and a sharp eye will help you spot the scam before you become a victim.
Microsoft never sends patches (or any software) as e-mail attachments. It distributes software through its websites.
If you've never signed up for any of Microsoft's alerts, and you receive an e-mail that claims to be from Microsoft, just delete it.
Genuine Microsoft alerts always contain a PGP digital signature, which displays scrambled text bracketed by 'Begin PGP Signature' and 'End PGP Signature'. Most of the bogus e-mail messages don't even contain a PGP signature. Any e-mail purporting to be from Microsoft that lacks the signature is probably fake.