In other words, beginning on October 22, you’ll be able to buy systems with Windows 7 pre-installed. You’ll also be able to buy Windows 7 off-the-shelf on that date. In the meantime, most computer manufacturers are including a “free” upgrade to Windows 7 with their current offerings.

Unless the bad guys start exploiting this bug heavily, Microsoft will likely not fix it until the next regular second-Tuesday patch cycle. Until then, there’s a Help and Support page offering a temporary workaround.

A couple of days ago, proof-of-concept code was posted showing how a malicious web site could trigger a “drive-by download” when a page was viewed with Firefox 3.5. The 3.5.1 release plugs this hole.

You can get the latest version of Firefox from the Mozilla web site or by clicking on “Check for updates…” in the Firefox Help menu or you can wait for the update to be offered to you automatically when you launch Firefox. Personally, I wouldn’t wait too long.

Two of the three critical patches released this month are very high priority because they are already being exploited in the wild. Both deal with ActiveX-related video handling in Internet Explorer. One of them permits “drive-by” infection of a visitor viewing an infected web page. The other works by tricking people into viewing a malformed QuickTime video. These vulnerabilities affect users running Internet Explorer under Windows XP, but not Vista and Windows 7. Microsoft is less forthcoming about the third critical patch but, word is, it impacts all Windows versions.

Bottom line: When Windows Update offers you these critical updates, you should install them. Immediately.

Updates and clarifications . . .

If you are riding herd on any Windows-based servers, Internet Explorer running under Windows Server 2003 is vulnerable to the ActiveX exploits mentioned above; the Server 2008 environment is safe.

And, just to make myself perfectly clear, you have to be running Internet Explorer directly to be affected by these issues. Although other applications — the Outlook email client, for instance — use Internet Explorer components to view web content, they do so in a more restricted environment that blocks ActiveX exploits.

The sole Microsoft patch fixes a “critical” flaw in PowerPoint. “Critical” means it’s a big deal. In this case, opening a maliciously crafted PowerPoint presentation could allow an attacker to execute code remotely on a victim’s computer. All versions of PowerPoint released in the past 10 years are vulnerable to this one.

Adobe is patching Reader/Acrobat to fix yet another problem associated with embedded JavaScript. This issue, as well as a work-around, was discussed in an earlier post here.

You can safely assume that the bad guys, knowing that people are often sloppy about security updates, will try to take advantage of both vulnerabilities. The Adobe Reader bug will likely be the primary target. Almost everyone has Adobe Reader installed on their computer and most folks are used to encountering PDF files on web sites.

Be careful out there.

Short version: It’s bugle oil. They’re talking about the way Windows handles the display of something called file extensions. This was always a fairly minor issue and, for the past several years, has been a non-issue.

Read on for details, if you wish…

A file name has two parts: the name of the file and its extension. Think of an extension as the part of the name that identifies the file’s type. For example, suppose you create a Word document named “Newsletter”. The actual name of the file on disk is “Newsletter.doc” (or maybe “Newsletter.docx” if you’re using Word 2007). The “.doc” (or “.docx”) part is the file’s extension. It tells Windows that the file is a Word document and that it should be opened with Microsoft Word and not some other program.

Unless you tell it not to, Windows hides the extensions for all recognized file types. So, if you look in your documents folder, you will see your Word document listed as “Newsletter”, not “Newsletter.doc”. Windows is trying to be “helpful,” here. The idea is that, if you saved your document as “Newsletter”, it is less confusing if it simply shows up as “Newsletter” on disk.

Problem is, scammers sometimes take advantage of this extension-hiding feature to make infected email attachments look harmless — sort of. For instance, they might create an infected email attachment named “bargains.txt.exe”. The “.exe” part means that it is a program but, if Windows is hiding extensions, the name will appear as “bargains.txt”. Some folks might open the attachment, thinking it is a harmless text file.

First off, the double extension trick was never that effective and, for that reason, is hardly used anymore.

Also, Windows effectively plugged that hole several years ago. Beginning with Windows XP Service Pack 2, attempting to launch any program downloaded from an external source triggers a warning that looks something like this:

Getting a warning like that when you thought you were opening a text file is a pretty strong clue that something is amiss.

Finally, if you have any sort of reasonably competent, up to date antivirus program running, it will probably zap the offending file before you even get a chance to look at it. A good antivirus program isn’t guaranteed to catch everything, but a miss is pretty rare unless you encounter a very recent (as in a few hours old), cleverly written piece of malware.

So, you can shoot yourself in the foot by opening an infected email attachment, but you have to work at it. Whether or not you are hiding  file extensions has very little impact on your risk level.

All that being said, I still prefer to be able to see complete file names, including extensions. It’s one of the first tweaks I make to Windows when I’m setting up a new system. If you wish to disable extension hiding, there’s an article in the WhertRA web log that tells you how to do it.

The usual cautions apply: Avoid unverified email attachments. The same goes for links in unsolicited emails. If you are researching swine flu online, look at search result links with a jaundiced eye. Better yet, go straight to one of the authoritative web sites and work from there. The World Health Organization’s Influenza A(H1N1) is a good starting point, as is a similar page maintained by the U.S.-based Centers for Disease Control.

Be careful out there.

How to get it…

• If you have automatic updates enabled and set up to download more than just core Windows updates, you should be offered Office 2007 SP2 automatically.
• You can download it directly from Microsoft.
• Or, you can get SP2 from a third party such as BetaNews fileforum.

So far, the SP2 update seems to be pretty well behaved. It reset my default news reader setting, but that was a minor irritation, easily corrected. If I encounter any significant issues, I’ll post them here.

Oh, one more thing: If you are running Windows XP, you must have Service Pack 3 installed before you can install Office 2007 SP2. For Vista, Service Pack 1 is required.