1. Electronics & Gadgets
  2. Computing Center
About.com
Computing Center

Internet Fixes

Sneakier spam, wilier worms, more aggravating ads... no wonder it feels like your PC is under assault. Fight back with these simple steps for keeping the latest pests at bay.

The latest viruses spread through everything from your instant messaging client to your file sharing program. Annoying new ads hijack your browser without your even clicking them. Spam greeting cards send themselves to everyone in your address book. Next-generation auction swindles exploit what's supposed to be one of the safest ways to do business online. But you can turn the tide against these pernicious pests.

What follows is our field guide to the newest threats to your PC--from hackers to sneaky adware--and the tools you need to send them packing. We'll direct you to the most important fixes for Windows and common applications. We also point out where you need to be careful about otherwise good patches that may introduce more bugs.

Worms and Viruses: The Nasties Evolve

The year 2002 marked a sharp uptick in the volume of new virus discoveries: Researchers and antivirus outfits cataloged more than double the number of new viruses recorded in 2001. And as 2003 rolls along, the breakneck pace of new virus and worm development shows no signs of abating. Meanwhile, the most persistent and resilient nasties of 2002, such as Klez, still plague our in-boxes and infuriate our associates over the Internet.

Virus writers continue to find new and ever-more-clever ways to deliver malicious code to our PCs efficiently and with potentially devastating consequences. Tantalizing e-mail attachments are still the most favored vector for attacks, but some worms target any widely used program that lets you download files, such as an instant messaging application or a file sharing tool.

Vincent Weafer, senior director at Symantec's Security Response Center, says virus makers are using worms and viruses as a way to plant Trojan horses that in turn allow their creators to exercise full control over your computer, surreptitiously record passwords you type, or steal other information you might value.

Smarter, Quieter Intruders

Historically, viruses targeted only a single vulnerability--a security hole in your copy of Internet Explorer or in your Outlook Express application, for instance.

The Slammer/Sapphire worm attack is a well-known example. It took advantage of a widely known security hole; a patch had been made available for it months earlier, but many computer operators (including some at Microsoft) had not applied the fix.

"It's no longer enough to install an antivirus program and personal firewall," Weafer says. "Users need to keep current with [operating system] patches, configure browser security settings to high, and turn off application features they don't use." Experts recommend that you turn off Windows file sharing (in the Networking control panel) if you don't need to use it, and that you use your firewall to block file sharing on TCP ports 139 and 445. (For more suggestions to lower your risk, see this month's Internet Tips.)

Newer viruses are getting more sophisticated. While the infamous Klez worm relied on Outlook Express to reproduce, Weafer says, worms with built-in mail engines are the future direction of malicious code. Such variants spread independently of e-mail programs, and they can scout for victims anywhere on your hard drive, looking for addresses even in the Web browser cache.

Vincent Weafer, director, Symantec Security Response Center.

Stealth is becoming a watchword for virus writers. With the notable exception of Slammer, worms and viruses increasingly do their dastardly deeds quietly. When viruses infect lots of computers in a short time, they are quickly detected and eliminated. The new breed waits patiently to strike at new victims. But don't confuse a low-key approach with a low risk: Your infected machine can still be used to plunder your data, attack other PCs, and wreak havoc on a network of connected computers in a home or office.

Home users who think the data on their hard drive is too insignificant to merit a hacker's attention may not realize that the computer itself is often a more attractive target than its contents.

Some intruders take control of PCs for use as a "dead drop" for potentially incriminating data, Weafer says. In these instances, the hacker gains access to a number of PCs and uses each victim's computer as a holding tank for illegal material--such as child pornography or a company's stolen files or passwords. Operating from a PC free of damaging evidence, the hacker can view the files on the victim's machine at a convenient time and in relative safety. If the victim has a broadband connection and leaves the PC powered on day and night, all the better. Simply shutting off your PC when you're not using it is probably the easiest thing you can do to avoid becoming a victim.

Pop Star Virus

Viruses and worms that activate themselves are still in the minority. Most worms require you to open a file attachment or preview its e-mail message before they become active and infect your PC. One recent example: The Avril Lavigne worm (named after the 17-year-old Canadian pop sensation) made its way into the less auspicious top 10 virus charts in January. It spreads via e-mail, IRC, instant messaging, and file sharing networks, scanning for a wide range of vulnerabilities on your system.

Opening the Lavigne worm's executable file or previewing its e-mail message in Outlook Express is all it takes to infect yourself. Its core program, a block of code named Lirva, disables antivirus programs, installs the BackOrifice 2000 Trojan horse on your system, and plants itself all over your hard drive, making it more difficult to remove. It then sends itself to everyone in your e-mail address book, to your entire ICQ contact list, to anyone who downloads your files over Kazaa, and to everyone in your IRC chat rooms. Not connected to the Internet? No problem for Lirva: It will dial up your ISP for you (in the middle of the night).

And someone went to all this trouble just to force you to view the pop singer's home page three days a month? Well, less benignly, the worm also steals the dial-up user names and passwords saved on your hard drive, and it e-mails them to the virus author. And since it installs a Trojan horse remote-control program, any hacker who has the same software can take control of your computer later on. If your PC was infected, use the free Lirva Removal tool to fully restore its health.

The Lavigne worm should serve as a warning to complacent computer users. If Lirva had been programmed to do real harm to the PCs it infects, to spy more closely on the infected user's computer, or to alter data on the hard drive more subtly, the result could have been devastating instead of merely infuriating.

Hackers also take advantage of computers left unattended to send worms through file sharing networks such as Kazaa. A specific vulnerability in Kazaa's pop-up ad program could allow a hacker to execute malicious code directly on your computer. A hacker who manages to pass a malicious ad to Kazaa (or to crack into its ad-serving network) can gain access to your local Windows security zone--and have free rein over your computer. (You can download a workaround.)

The interconnectedness of machines on the Net means that due diligence applies equally to home users and to corporate users, says Weafer, who likens securing a home or business computer to wearing seat belts and obeying traffic laws as you drive.

"We're living in a global community," Weafer explains. "[Computer security] is not only about protecting ourselves, but about protecting everybody else who's living around us."

Ads and Spam: Junk Takes Command

A new boldness is gripping online advertisers and spammers. In the shadowy world of spammers and in the Madison Avenue universe of corporate marketing, clever programmers are inventing new advertising delivery techniques that grab more and more control of your Web browser.

The newest, most insidious type of pop-up ad doesn't even require you to click it to take you to another site; simply moving your pointer over the ad in a certain way will send your browser to an advertiser's Web page. Advertisers call these "kick-through" ads, a more aggressive spin on the term click-through (defined as when you deliberately click an ad and visit the advertiser's site).

Over the 2002 holidays, travel Web site Orbitz (a heavy online advertiser) experimented with a kick-through ad on the New York Times Web site. Perplexed news junkies who inadvertently moved their mouse pointer over the ad in the way that triggered it found themselves unceremoniously dumped into the middle of a full-screen, interactive snowball fight with a herd of festive reindeer, instead of reading the day's headlines.

A New York Times spokesperson said the ad violated the site's advertising guidelines, and the company asked Orbitz to alter it.

Orbitz spokesperson Carol Jouzaitis says that the advertisements were designed to try to prevent people from accidentally triggering them. "Did everybody love them? No, but the negative feedback was less than you'd believe," she said, "and they were extremely successful. They sold more tickets."

Beware of Freeware

A few advertising companies now produce software that attempts to download a browser plug-in or program when you visit a page with their ads on it. They can use the plug-in to monitor where you surf and to pop ads in front of the browser window. Other ad companies have been releasing freeware "Internet tools," such as bandwidth speed testers, that appear to load adware onto your PC, change your browser's home page and settings, and closely monitor what you do online. Some purport to be search tools, while others claim to speed up downloads or--unbelievably--block pop-up ads.

Faced with increasingly intrusive advertising, PC users are fighting back by adopting ad-blocking software such as AdSubtract in record numbers.

Your firewall can also deal with many pop-up ads. Start by setting your hardware firewall to block the Internet domains that advertisers use, such as Doubleclick.net and Advertising.com. Over time, as you add new advertiser domains to the firewall's exclusion (or blocked domain) list, you'll see fewer ads, and those ads won't be able to spawn new windows with ads or pop-ups. Ad-blocking software like AdSubtract can halt pop-up ads. The Google Toolbar also has an option that blocks one common technique advertisers use to spawn more pop-up ads when you close a Web page.

In the latest ploy, which combines some aspects of spam with pop-up ads, marketers push ads to your PC through the Windows Messenger service--an administrative feature in Windows 2000 and XP systems that spawns a pop-up similar in appearance to a dialog box, whether your browser is open or not. The ads can pop up anytime you're connected to the Internet, even when you're merely composing a Word document. Most of the ads we've seen tout forgeries of university diplomas, so we're not talking about the most upstanding citizens here. You can block the ads by turning off the Messenger service (see " Sneaky New Form of Online Ads Pops Up" to learn how) or by installing a firewall.

Last December, many computer users received a Friend Greetings electronic card in their e-mail in-boxes. But before they could see the card, the recipients were directed to FriendGreetings.com, where they were instructed to install a program. Most people did not read the fine print of the program's license, however: By installing the application, they gave the company permission to take all the addresses from their Outlook address book--as many worms and viruses have done for years--and to send everyone listed there a Friend Greetings card in their name.

Pornographers, long on the cutting edge of spam technology, have taken to employing increasingly brazen techniques to sell their product. In previous generations of porn spam, the recipient had to click links in the message to get to the pornographer's Web page. Now spammers send images embedded in the body of e-mail messages so that simply opening the message assaults you with explicit photographs. More frequently, spam contains HTML code and a JavaScript applet that together load a pornographic Web page.

While these methods don't break any laws, they aren't exactly the hallmark of legitimate companies who want to run a respectable business. So if the people behind these ads don't care if you complain, how can you cope with them?

Antispam tools--such as Spamkiller ($40, from McAfee.com)--that promise to filter nearly all of the unwanted commercial e-mail from your in-box are here already. Some ISPs tout the spam filtering on their e-mail systems. And services like ChoicemailOne ($30, available from www.digiportal.com) let you set lists of people who are allowed--or forbidden--to send you e-mail, so you can block spammers forever. (Look for a comprehensive review of antispam tools in our May issue.)

Internet Theft and Scams: Crime Sometimes Pays

Of all the activities people love to do on the Net, shopping ranks among the highest. Of all the activities some other people love to do on the Net, scamming online shoppers ranks among the highest. A new online con that targets people who use Internet auctions threatens to separate you from your hard-earned cash by exploiting escrow services, a payment method that was previously considered safe.

Some 77 million adult Americans shop online, according to analyst firm GartnerG2. Fraudsters follow the money, and Internet fraud is on a proportionately steep rise. The National Consumers League reports that Web shoppers lost over $7 million to Internet fraud in the first six months of 2002. That's up from $6 million in all of 2001 and $3 million in 2000. And those are just the consumer victims. Of 500 businesses that responded to an FBI survey, more than 80 percent reported that they were victims of cybercrime. The 223 companies that gave financial details claimed, in 2002 alone, an average of $2 million in losses.

Online auction fraud outpaces other forms of cyberfraud against individuals by a huge margin. In November 2002, serial scammer Teresa Smith admitted to selling nonexistent computers to 300 customers on EBay and Auction Works for a total sum of $800,000. The big auction sites claim they aggressively fight abuse like this, in part by promoting the use of escrow services. EBay spokesperson Kevin Pursglove says that allegations of fraud arise in fewer than 1 in 10,000 auctions.

Escrow services are supposed to act as honest middlemen in an online transaction: They hold a buyer's money until goods arrive, and then they transfer the funds to the seller. In some cases, they transfer the product from the seller to the buyer. But fake escrow sites cheat auction buyers and sellers (though not in the same transaction), and make off with both money and goods.

The scam starts with stolen credit card numbers: Con artists use them to buy Web hosting services that can't be traced back to themselves. Then they upload professional-looking Web pages to their freshly minted escrow sites, which are designed to convince a visitor that the escrow company is legitimate.

Next, the cons list items for sale at auction sites like EBay--only they don't actually have the items they purport to be selling. When a buyer takes the bait and wins the auction, the seller instructs the buyer to register with and use the fake escrow service to complete the purchase. Once the buyer wires the money to the fake service, the site disappears, along with the buyer's money and credit card information.

The same scam works just as well in reverse: A fraudulent buyer requests that the seller use a particular escrow service; then the phony service notifies the seller by e-mail that the money has arrived. When the seller ships the goods to the escrow service (most often to an overseas address), the merchandise disappears.

More than a hundred scam escrow sites have popped up in the last year, many of them chronicled at www.sos4auctions.com; the site offers clues for spotting the fakes and tips on how to get the most out of a good, established service. One service that we can recommend is www.escrow.com, which was the first online escrow business certified under California's escrow laws, the nation's most stringent. Those laws require all escrow company employees to be bonded and to have criminal background checks.

EBay recommends using an escrow service on any auction with a value of more than $500, but it makes sense to use one whenever what's at risk is worth more than you can stand to lose.

In addition to relying on a legitimate escrow service, you might try a service like Transrow, which helps sellers (mostly for high-end transactions) verify bidders by requiring them to deposit funds or submit a driver's license and credit reference. It always pays to check the background of an escrow site you're not familiar with at Sos4auctions.com or the Better Business Bureau before you commit to any purchase. If the escrow service lists a mailing address and telephone number, ask the BBB to consult its records to see whether anyone has filed complaints against the company.

No Signs Fraud Is Abating

Widely touted as the safest way to pay online, credit cards are becoming the target of organized wire-fraud rings. In the latest scams, savvy cyberthieves convince people to update their personal information on a fake Web page that sends the information to the scammer. (For more on this scam, see March 2003's Consumer Watch column.)

Even Western Union, the venerable money-by-wire service, is being abused by shady auction scammers, who convince gullible buyers to divulge the wire transfer control number--a secret code that, once given at a Western Union office, authorizes disbursement of funds--before the buyer has the product.

The cons convince buyers to send them the control number before they receive the product, assuring victims that the con artist can't get the money until the victim provides an additional piece of information, such as a secret password or name. This is a lie. With the control number, they can walk down to the nearest branch and collect the dough anytime.

Don't use a wire transfer to complete any auction, especially if the other person is overseas, advises Rosalinda Baldwin, who runs Theauctionguild.com, an auction scam information site. Baldwin writes that Western Union informed her that "none of the [auction] buyers are receiving their merchandise when the item was paid for using a wire transfer."

Shop Defensively Online

Always do your homework before you click that Buy button, says Susan Grant, director of Internet Fraud Watch. She suggests a number of tips for shoppers on IFW's Web site. "The fact that the Internet offers this wonderful convenience doesn't obviate the need to know who you're dealing with," she says. And if the other party is trying to rush you into completing the transaction before you can finish your research, that should raise a red flag.

If you think that you (or someone you know) may already have fallen victim to an online fraud, the FBI's Internet Fraud Complaint Center serves as a first point of contact with law enforcement agencies that specialize in investigating these kinds of cases. You can file a report right on their Web site.

If an auction or an online purchase doesn't feel right, don't pull the trigger--no matter what the effect might be on your rating as a buyer or seller. That's what victims of online auction fraud tell us most frequently. And that is perhaps the best advice for anyone who is considering making an online purchase: If the deal worries you, trust your gut.

Kim Zetter is a contributing editor for PC World. Dylan F. Tweney is a writer and editor in San Mateo, California.

E-Mail Programs: Insulate Your In-Box

Microsoft Outlook: Security vulnerabilities in Outlook 2002 are addressed by the service packs for Office XP (see "Office Suites"). Once you've installed Service Pack 2, however, Outlook may start crashing. To fix that problem--and to patch yet another security hole that spammers could use to crash your e-mail application--download the Outlook 2002 Update.

Outlook 2000 users need to get Office 2000 SR-1a and Service Pack 3 (see "Office Suites" for details). Once SP3 is installed, you may find that Outlook 2000 fails to behave properly, or that it uses 100 percent of your CPU resources when running in Internet Mail Online mode. A small patch will cure that problem.

If you don't want to install Office 2000 SP3 for some reason, you should at least install the latest version of the Outlook 2000 Security Update, which will protect you against e-mail viruses and worms.

Microsoft Outlook Express: Outlook Express is bundled with Internet Explorer; so to secure Outlook Express, you need the latest fixes for the browser. Get the cumulative patches for IE 5.5 and 6.

Outlook Express 6 and Outlook Express 5.5 Service Pack 2 also have a vulnerability that hackers could exploit to crash or hack into your computer, just by sending you a digitally signed e-mail message. To prevent this theoretical attack, download the Security Update for Outlook Express.

A separate, cumulative update for Outlook Express 6 users patches a number of other security gaps.

Eudora: Eudora versions 5.0 and 5.1 could allow an attacker to run code on your machine by sending you specially formatted multipart e-mail messages. Unlike Microsoft, Qualcomm doesn't do patches. The newest version of the program, Eudora 5.2, takes care of the problem. (The upgrade is free for users who purchased and registered Eudora 5. x Paid mode within the last 12 months.)

To protect yourself against "cross-site scripting," which can let HTML-formatted e-mail messages execute code on your machine while posing as Web sites that you trust, go to Tools, Options, Viewing Mail, and make sure that 'Allow Executables in HTML Content' is not checked.

--Dylan Tweney

Operating Systems: Protect Your Platform

All Versions of Windows: Microsoft's Windows Update site automates the patching process by recommending downloads based on your PC's configuration; it can save you a lot of time. Windows Update also allows you to download everything in one fell swoop.

IS managers should visit the Windows Update Catalog page. There you can locate updates by operating system and program, and then install them manually.

If you want to stay on top of the latest security updates as they are released, or browse through past updates, head over to Microsoft's Security & Privacy pages, where you'll find the most recent bulletins, as well as the archived ones. You can also sign up to have Microsoft put you on its e-mail list to receive its security alerts.

If you prefer to obtain your patches a la carte, read on.

Windows XP: Whether you have XP Home Edition or XP Professional Edition, you have security problems stemming from Universal Plug and Play, glitches in the way XP handles SSL certificates from secure Web sites, a bug that could prevent you from accessing encrypted files after you change your password, and other issues. The fix: Install Windows XP Service Pack 1.

Windows XP users can avoid visiting the Windows Update site by turning on Automatic Updates, which will download patches as soon as they become available--and install them for you too, if you want. Right-click My Computer, select Properties, and choose the Automatic Updates tab. Put a check in the box beside Keep my computer up to date, and specify whether you want Auto Update to notify you before it installs the updates or you want it to do its thing automatically. Automatic updating is available for Windows 2000 users, too; it's included in Windows 2000 Service Pack 3.

Because patches themselves can cause difficulties (see " When the Cure Is Worse Than the Disease"), we recommend that you have Windows notify you before it installs any patches. If the notifications themselves become annoying, then turn off Auto Update--but don't forget to check periodically for new patches.

Windows Me: Windows Me has a number of security holes, including problems in the way Me handles digital certificates and a bug that lets other users on a network view shared folders on your PC even if they don't have the right password. There's no service pack for Windows Me, however, nor is there a single list of security patches for this operating system. The easiest way to patch your Me system is to go to the Windows Update site.

Windows 2000: This version has hundreds of serious security holes and bugs, including multiple flaws relating to password theft, denial-of-service attacks, and more. Service Pack 3 will help fend them off.

The Windows 2000 High Encryption Pack provides 128-bit encryption support for Web sites that run on a Win 2000 server, increasing the security of online transactions.

Windows 98 and Windows 98 Second Edition: The first edition of Windows 98 has a limited number of security problems, including a hole that could allow an intruder to get around log-in and password screens. The Windows 98 Customer Service Pack fixes the flaws, along with a few stability issues. Windows 98 SE users don't need this service pack.

Besides the Customer Service Pack, there are a dozen additional security updates for Windows 98 and Windows 98 SE. Among the security gaps corrected are weaknesses that allow hackers to run malicious code on your computer, crash your e-mail program, and retrieve stored passwords. Microsoft provides a list of Windows 98 security updates and links to the patches.

--Dylan Tweney

Browsers: Beef Up Their Borders

Internet Explorer: If you're using Internet Explorer 6, critical security issues include a vulnerability that maliciously programmed Web sites could exploit to gain access to files on your PC, and a bug that permits sites to read and change the contents of cookies that other sites have stored on your PC. To mitigate these risks, download Internet Explorer Service Pack 1. (Note: IE SP1 is included in SP1 for Windows XP.)

The High Encryption Pack adds 128-bit encryption to IE, beefing up security for online transactions. It's available for IE versions 4 to 5.01. Versions 5.5 and 6 already include 128-bit encryption.

Once you have installed the IE service packs, you should check regularly for the most recent updates. See Microsoft's bulletins (under Security Updates), or jump to Critical Updates for links to all cumulative patches.

If you're using IE 5.01, 5.5, or 6 on any platform except Windows XP, your PC has a critical security gap in the Microsoft Data Access Components. By attacking this weakness, a hacker could run devious code on your PC. The patch is not included in IE's cumulative updates. Windows XP users don't need this fix.

If you're using IE 5.5, you need to fix some minor security vulnerabilities. Get Service Pack 2. IE 5.01 users need to plug various minor security holes, too, by installing their Service Pack 2.

Netscape: The latest version of Netscape's browser, Netscape 7.01, includes every security update that the company has provided to date. One flaw could let a nasty Java applet access your PC. If you use Netscape 6.2.2 or 7.0, you don't need to upgrade to fix this flaw, but all earlier versions are affected.

Netscape versions 6.1 to 6.2.2 (inclusive) have a problem with the component used to download XML files. This bug could allow hackers to read files on your PC. Versions 6.0 through 6.2 have a hole that could permit Web sites to view cookies from other sites on your system. Both flaws are fixed in Netscape 7.01.

--Dylan Tweney

When the Cure Is Worse Than the Disease

The trouble with software patches is that they are themselves software. As a result, like the programs that they're intended to fix, the patches sometimes have glitches or security holes of their own.

Case in point: Office XP Service Pack 2. Shortly after Microsoft released this update in August 2002, people who installed it found that Outlook crashed after downloading certain e-mail messages. Microsoft didn't release a patch until December, so some people had to deal with an unstable e-mail client for a few months.

Security-conscious users, then, are caught on the horns of a dilemma: install patches as soon as they come out (and before any bugs are discovered), or wait and leave your system open to a known vulnerability?

Even the security experts punt on this question. Richard M. Smith, an independent Internet security and privacy consultant in Cambridge, Massachusetts, says that he regularly updates his Windows system--but tries to avoid using Windows XP's Automatic Updates. "There's a risk here that an update may get rushed out and not be fully debugged," Smith explains. "[The update] might actually make things worse rather than better."

Don Mungovan, vice president of IT, QST Industries, Chicago.

System administrators don't have much use for Automatic Updates--or, for that matter, the Windows Update site. "Windows Update does not lend itself nicely to the corporate world," says Don Mungovan, vice president of IT for QST Industries, a textile supplier in Chicago. "An administrator still needs to be logged on to [each] machine, and I do not have the luxury to have someone touch every machine in a timely fashion." Instead, Mungovan relies on Ecora Patch Manager to partially automate software patching.

What's a Windows user to do? It depends on how much you trust Microsoft--and how much footwork you're willing to do on your own. For the easiest updates, Windows XP Home Edition users should put Automatic Updates to work (see " Operating Systems" for details). When configuring the feature, limit your selection to "critical updates," which will ensure that you're fixing the most serious holes.

If you don't trust Automatic Updates--or can't use it because you have an older version of Windows--consider using the semiautomated Windows Update site instead; Smith says he follows that strategy.

Anyone who worries about potential problems with a new patch or service pack shouldn't install patches as soon as they come out. Wait a week or two. Check Microsoft's site to find out about any emerging caveats. For problems with non-Microsoft patches, you'll need to monitor the vendors' sites for updates. Remember to read our monthly Bugs and Fixes column for advice about dealing with troublesome patches from Microsoft and others. You can also search discussions on Google.

If a patch causes problems, you may or may not be able to remove it. "The reality is that sometimes patches simply are not uninstallable," says Iain Mulholland, security program manager in Microsoft's Security Response Center. So check the download notes (if any) for details about whether you can back out.

--Dylan Tweney

Office Suites: Safeguard Your Apps

Office XP: Because of a flaw in the way that Word, Excel, and PowerPoint detect macros within files, you could open up a document from a malicious user and trigger its macros to run without your noticing anything. Office XP Service Pack 1 takes care of the security problem and enhances overall performance as well.

After that service pack was released, new security threats were discovered relating to Word and Excel macro options and to Web-browsing components. Office XP Service Pack 2 seals those holes and includes a number of other bug fixes and performance enhancements. SP2 does not include the fixes offered in SP1; install SP1 before grabbing SP2.

Note: If you use Outlook 2002 and it crashes after you install SP2, you need another patch. See " E-Mail Programs" for more details.

Office 2000: In Microsoft Office 2000, the macro features in Excel are particularly vulnerable to outside attackers. On top of that, Outlook and Outlook Express have a flaw that leaves your machine open to the Worm.Explore.Zip (Pack) virus. Get the Service Release 1a Update.

Following Microsoft's posting of SR-1a, additional security holes appeared on the scene, such as a problem in the way that Outlook handles e-mail attachments, and potential security problems with Excel, Word, PowerPoint, and RTF files. Office 2000 Service Pack 3 includes all the security patches released after SR-1a.

Whether you're using Office XP or Office 2000, you may need to get the latest version of Microsoft Office Web Components. These tools come as part of Office XP, Office 2000, Money 2002, Money 2003, and other apps, and they are also available as a freestanding download from Microsoft's site. Early versions have security holes that could give a Web site unauthorized access to files on your PC. Go to Microsoft Security Bulletin MS02-044 for a link to the patch. If you've installed Office XP SP2, you don't need this fix.

Corel WordPerfect: According to Corel, there aren't any significant security fixes in the company's recent updates, Hot Patch 4 and Service Pack 3 for WordPerfect. The earlier Service Pack 2, however, permits WordPerfect Office 2002 to integrate with Entrust's PKI Server, which will increase your security if you're using that product.

If you use WordPerfect Office 2000, you might encounter a system error if you should attempt to open a password-protected file on a document management system. Installing the Office 2000 Hot Patch will restore your ability to use password-protected files in this situation.

Finally, WordPerfect Office 2000 Service Pack 4 enables WordPerfect to run in a safer, "restricted users" mode on Windows 2000 or Windows Terminal Server. The service pack is not available as a download; you need to request it from Corel customer service.

--Dylan Tweney

Other Net Tools: Media and Instant Messaging

Media players: Three security defects affect RealOne Player, and they potentially allow a hacker to run arbitrary programs on your computer. The company recommends that anyone using RealPlayer 8 or earlier editions upgrade, as well. The latest (secured) version is RealOne Player version 2. Jump to the company's update page to get further details.

Microsoft Windows Media Player versions 6.4 and 7.1 and Windows Media Player for Windows XP all contain three separate security flaws. One of these problems is critical, since it could let an attacker take charge of your PC. You need the cumulative patch.

Macromedia Flash: Macromedia's Flash player has a weakness that could allow a specially written Macromedia Flash file to take control of your PC. An earlier vulnerability allowed a Flash-powered site to download information from files that are stored on your PC. To fix both problems, the company advises you to install the latest version of the Macromedia Flash player (version 6,0,65,0 or later).

Instant Messaging Software: Last year, two buffer-overflow vulnerabilities were discovered in AOL Instant Messenger that would have allowed attackers to run code on your computer or to control it remotely. AOL says that it has fixed the problem on its own servers, so AIM users don't have to make any changes themselves. But you might want to get the most recent version (5.1.3036) just to be safe.

If you're using MSN Messenger 4.5 or 4.6, or the MSN Chat Control (an ActiveX control that lets you create online chat rooms), there's a vulnerability that could allow an attacker to run code on your computer. Point your browser to Microsoft Security Bulletin MS02-022 for Microsoft's patch.

Older versions of Yahoo Messenger may contain security flaws that could allow hackers to run code on your computer or to modify information in your Friend List. Yahoo recommends that you upgrade to the latest version of Yahoo Messenger (version 5.5) to fix the problem.

--Dylan Tweney

©2012 About.com.   The New York Times Company.