Bugs and Fixes: file-sharing vulnerability hits Vista

Windows Vista users take note of a new security hole involving Windows file sharing, plus it's time to update your browsers

Windows Vista users (and IT folks taking care of Server 2008 computers) should watch out for a new security hole involving Windows file sharing. A remote attacker could assume full control of a vulnerable computer by exploiting a flaw in the SMB protocol for Windows file and printer sharing.

Most home users should already have a firewall in place that blocks attempts to reach the ports that SMB uses (139 and 445). Microsoft may have a patch available by the time you read this, but as of this writing no fix was yet available. For more details, see Microsoft's security advisory.

In a recent Microsoft monthly release, the ActiveX patch-up continued with an additional fix for the buggy Microsoft Active Template Library (ATL), along with updates for Windows Media Player and other software created with ATL. It's a critical fix for Windows 2000 SP4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, according to the MS09-037 bulletin.

Another patch closes holes in the way that Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 all handle AVI video files. Opening a specially crafted, poisoned AVI file could allow an attacker to run any command on your PC, but the MS09-038 patch shuts the door.

Other critical fixes in the monthly batch apply more to businesses than to consumers. These include patches for the Remote Desktop Connection feature and the Windows Internet Name Service.

Browsers Bump Up

You'll also want to make sure your browser of choice is up-to-date as well. New versions of Firefox, Chrome, and Safari all came out in the past month or so.

A new Firefox 3.0 closes a hole in the browser's handling of SSL certificates that could allow an attacker to decipher encrypted traffic to and from a protected site, such as online banking sites. And a new 3.5 version fixes a JavaScript bug that criminals could use to install malware (also fixed in the new 3.0). Head to Help, Check for Updates to make sure you have at least Firefox 3.0.13 or Firefox 3.5.2.

Viewing a tainted image or site could trigger an attack for Safari users who haven't picked up the latest patch for both Windows and Mac. Vulnerabilities involving the CoreGraphics and ImageIO components affect only Windows, but problems in the WebKit browser core affect Macs as well, as does a flaw that could promote a malicious site in the Top Sites page. Run the Apple Software Update tool to confirm that you have Safari 4.0.3 or later.

Google Chrome received an automatically distributed update to 2.0.172.43. This version closes high-priority holes that could allow an attacker to launch attacks via poisoned XML or JavaScript on a Web page; it also includes a restriction against SSL certificates signed with old and insecure algorithms. See Google's Blogspot post for more details.

Security Updates for Macs

Mac OS X 10.5.8 fixes a wide range of vulnerabilities, including some that could hand control to an attacker if you view a poisoned image or Web site crafted with malicious XML. While Mac users are still immune to the vast majority of Windows-centric malware, Mac-specific threats are now appearing, as evidenced by Apple's inclusion of malware scans in Mac OS X Snow Leopard that will attempt to block two known Mac Trojan horses. Run Software Update from the Apple menu to pick up the new OS X, and see Apple's support site for full details.

Speaking of Snow Leopard, the new OS installs an old, unsafe version of Adobe's Flash, even if you had a new, fixed version of Flash before upgrading. Check your current version at Adobe's Flash version test page, and if necessary nab the latest version.

Tags Windows Vistaweb browserssecurityGoogle ChromeMac OS Xmozilla firefoxsafari

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Erik Larkin

PC World (US online)

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?