Microsoft's Internet Explorer is the most widely-used web browser in the world - and also one that leaves users open to a fair few security problems, according to bug hunter Georgi Guninski. He has found a bug in the latest version, IE 5.5, that could allow people to read files and even execute programs on anybody's computer.
The problem arises when Java is used at the same time as ActiveX. Nobody has reported being hacked in this way yet, but Microsoft has posted an explanation and fix at www.microsoft.com/technet/security/bulletin/fq00-075.asp .
Something for which MS has suggested a workaround is Windows Me and Windows 98SE, despite denials that the operating systems themselves are at fault. It seems that on certain extremely fast machines - Athlon or Pentium III, running at 900MHz or more - they shut down too quickly for applications to save anything that is in cache memory.
The way around this is simply to shut down all your applications before closing the system or accept that going to start-Shutdown from within a file may lead to loss of data.
There is also a problem with the WebTV software that comes with Windows 98SE and Windows. Hackers can send computers information while WebTV is running and cause the system to crash. Microsoft was made aware of this problem a month or so ago but has only just acknowledged its seriousness and put patches on its website - one for Windows 98 and one for Windows Me.
These are also available free at http://news.cnet.com/ news/0-1006-200-3176203. html?tag=st.ne.1430735..ni
It should be noted that this bug is in the Windows WebTV software and not in third party offerings with similar names.
Before any devotees of the non-Windows environments start gloating too much, they need to remember that Linux also has problems. A couple of releases - specifically Red Hat Linux 7.0 - i386 and Red Hat Linux 7.0J - i386 - contain a daemon, called rhnsd, which leaks file descriptors.
Linux installation and fixing is complex stuff, but the way to get rid of this is to enter the following commands:
/sbin/service rhnsd stop
/sinb/chkconfig --level 345
rhnsd off
And that should clear the problem. There are other manual ways of clearing the difficulty up, all of which have been circulated on the various Linux newsgroups and mailing lists.
While we're on the subject of Linux, it seems the Apache HTTP server has a flaw that can allow hackers to look at random files on a PC. The trouble stems from a module called mod_rewrite, which rewrites URLs for the client computer before further processing takes place.
If you're running OpenLinux Desktop 2.3 with any Apache package prior to 1.3.4-5, OpenLinux eServer 2.3 and OpenLinux eBuilder running any package prior to apache-1.3.9-5S or OpenLinux eDesktop 2.4 running any package that came out before Apache-1.3.11-2D then you could be hit.
The workaround, until you have an upgrade, is not to enable mod_rewrite. If you already use it then there's an upgrade package available at f tp://ftp.calderasystems.com/ pub/updates/OpenLinux/2.3/ current/RPMS/ , while the corresponding source code package is at ftp://ftp. calderasystems.com/ pub/updates/eServer/2.3/ current/SRPMS
If you're in any doubt about installation and extra software you might need, check www.calderasystems.com/ support/security/ for more detail.
People who were hoping for a cheaper, faster processor from Intel have had their hopes dashed by the manufacturer's scrapping of its system on a chip, codenamed Timna. This was suffering from a glitch in the Memory Translator Hub (MTH) that would cause the entire system to freeze.
Instead of launching and having to recall the product, which is what the company did with a million Pentium III motherboards earlier this year, the launch was initially delayed until early 2001. However, Intel has now conceded that rival systems may well overtake Timna in terms of speed by the time of the delayed release. The entire project has now been scrapped.
At least one group of security consultants is so disillusioned with the number of bugs around in commonly-used systems that it has issued an ultimatum to software companies.
CERT (Computer Emergency Response Team) at Carnegie Mellon University has said it will allow software manufacturers 45 days to fix their systems and then go public with any information it has. It then hopes to publicise bugs alongside their solutions, in contrast with mailing lists like Bugtraq, which discusses unsolved bugs and security issues quite happily.
