Bugs and Fixes: file-sharing vulnerability hits Vista

Windows Vista users take note of a new security hole involving Windows file sharing, plus it's time to update your browsers

Windows Vista users (and IT folks taking care of Server 2008 computers) should watch out for a new security hole involving Windows file sharing. A remote attacker could assume full control of a vulnerable computer by exploiting a flaw in the SMB protocol for Windows file and printer sharing.

Most home users should already have a firewall in place that blocks attempts to reach the ports that SMB uses (139 and 445). Microsoft may have a patch available by the time you read this, but as of this writing no fix was yet available. For more details, see Microsoft's security advisory.

In a recent Microsoft monthly release, the ActiveX patch-up continued with an additional fix for the buggy Microsoft Active Template Library (ATL), along with updates for Windows Media Player and other software created with ATL. It's a critical fix for Windows 2000 SP4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, according to the MS09-037 bulletin.

Another patch closes holes in the way that Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 all handle AVI video files. Opening a specially crafted, poisoned AVI file could allow an attacker to run any command on your PC, but the MS09-038 patch shuts the door.

Other critical fixes in the monthly batch apply more to businesses than to consumers. These include patches for the Remote Desktop Connection feature and the Windows Internet Name Service.

Browsers Bump Up

You'll also want to make sure your browser of choice is up-to-date as well. New versions of Firefox, Chrome, and Safari all came out in the past month or so.

A new Firefox 3.0 closes a hole in the browser's handling of SSL certificates that could allow an attacker to decipher encrypted traffic to and from a protected site, such as online banking sites. And a new 3.5 version fixes a JavaScript bug that criminals could use to install malware (also fixed in the new 3.0). Head to Help, Check for Updates to make sure you have at least Firefox 3.0.13 or Firefox 3.5.2.

Viewing a tainted image or site could trigger an attack for Safari users who haven't picked up the latest patch for both Windows and Mac. Vulnerabilities involving the CoreGraphics and ImageIO components affect only Windows, but problems in the WebKit browser core affect Macs as well, as does a flaw that could promote a malicious site in the Top Sites page. Run the Apple Software Update tool to confirm that you have Safari 4.0.3 or later.

Google Chrome received an automatically distributed update to 2.0.172.43. This version closes high-priority holes that could allow an attacker to launch attacks via poisoned XML or JavaScript on a Web page; it also includes a restriction against SSL certificates signed with old and insecure algorithms. See Google's Blogspot post for more details.

Security Updates for Macs

Mac OS X 10.5.8 fixes a wide range of vulnerabilities, including some that could hand control to an attacker if you view a poisoned image or Web site crafted with malicious XML. While Mac users are still immune to the vast majority of Windows-centric malware, Mac-specific threats are now appearing, as evidenced by Apple's inclusion of malware scans in Mac OS X Snow Leopard that will attempt to block two known Mac Trojan horses. Run Software Update from the Apple menu to pick up the new OS X, and see Apple's support site for full details.

Speaking of Snow Leopard, the new OS installs an old, unsafe version of Adobe's Flash, even if you had a new, fixed version of Flash before upgrading. Check your current version at Adobe's Flash version test page, and if necessary nab the latest version.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityMac OS XWindows VistaGoogle Chromesafarimozilla firefoxweb browsers

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Erik Larkin

PC World (US online)
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?