Bugs and Fixes: file-sharing vulnerability hits Vista

Windows Vista users take note of a new security hole involving Windows file sharing, plus it's time to update your browsers

Windows Vista users (and IT folks taking care of Server 2008 computers) should watch out for a new security hole involving Windows file sharing. A remote attacker could assume full control of a vulnerable computer by exploiting a flaw in the SMB protocol for Windows file and printer sharing.

Most home users should already have a firewall in place that blocks attempts to reach the ports that SMB uses (139 and 445). Microsoft may have a patch available by the time you read this, but as of this writing no fix was yet available. For more details, see Microsoft's security advisory.

In a recent Microsoft monthly release, the ActiveX patch-up continued with an additional fix for the buggy Microsoft Active Template Library (ATL), along with updates for Windows Media Player and other software created with ATL. It's a critical fix for Windows 2000 SP4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, according to the MS09-037 bulletin.

Another patch closes holes in the way that Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 all handle AVI video files. Opening a specially crafted, poisoned AVI file could allow an attacker to run any command on your PC, but the MS09-038 patch shuts the door.

Other critical fixes in the monthly batch apply more to businesses than to consumers. These include patches for the Remote Desktop Connection feature and the Windows Internet Name Service.

Browsers Bump Up

You'll also want to make sure your browser of choice is up-to-date as well. New versions of Firefox, Chrome, and Safari all came out in the past month or so.

A new Firefox 3.0 closes a hole in the browser's handling of SSL certificates that could allow an attacker to decipher encrypted traffic to and from a protected site, such as online banking sites. And a new 3.5 version fixes a JavaScript bug that criminals could use to install malware (also fixed in the new 3.0). Head to Help, Check for Updates to make sure you have at least Firefox 3.0.13 or Firefox 3.5.2.

Viewing a tainted image or site could trigger an attack for Safari users who haven't picked up the latest patch for both Windows and Mac. Vulnerabilities involving the CoreGraphics and ImageIO components affect only Windows, but problems in the WebKit browser core affect Macs as well, as does a flaw that could promote a malicious site in the Top Sites page. Run the Apple Software Update tool to confirm that you have Safari 4.0.3 or later.

Google Chrome received an automatically distributed update to 2.0.172.43. This version closes high-priority holes that could allow an attacker to launch attacks via poisoned XML or JavaScript on a Web page; it also includes a restriction against SSL certificates signed with old and insecure algorithms. See Google's Blogspot post for more details.

Security Updates for Macs

Mac OS X 10.5.8 fixes a wide range of vulnerabilities, including some that could hand control to an attacker if you view a poisoned image or Web site crafted with malicious XML. While Mac users are still immune to the vast majority of Windows-centric malware, Mac-specific threats are now appearing, as evidenced by Apple's inclusion of malware scans in Mac OS X Snow Leopard that will attempt to block two known Mac Trojan horses. Run Software Update from the Apple menu to pick up the new OS X, and see Apple's support site for full details.

Speaking of Snow Leopard, the new OS installs an old, unsafe version of Adobe's Flash, even if you had a new, fixed version of Flash before upgrading. Check your current version at Adobe's Flash version test page, and if necessary nab the latest version.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Windows Vistaweb browserssecurityMac OS XGoogle Chromesafarimozilla firefox

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Erik Larkin

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?