Bugs and Fixes: file-sharing vulnerability hits Vista

Windows Vista users take note of a new security hole involving Windows file sharing, plus it's time to update your browsers

Windows Vista users (and IT folks taking care of Server 2008 computers) should watch out for a new security hole involving Windows file sharing. A remote attacker could assume full control of a vulnerable computer by exploiting a flaw in the SMB protocol for Windows file and printer sharing.

Most home users should already have a firewall in place that blocks attempts to reach the ports that SMB uses (139 and 445). Microsoft may have a patch available by the time you read this, but as of this writing no fix was yet available. For more details, see Microsoft's security advisory.

In a recent Microsoft monthly release, the ActiveX patch-up continued with an additional fix for the buggy Microsoft Active Template Library (ATL), along with updates for Windows Media Player and other software created with ATL. It's a critical fix for Windows 2000 SP4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, according to the MS09-037 bulletin.

Another patch closes holes in the way that Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 all handle AVI video files. Opening a specially crafted, poisoned AVI file could allow an attacker to run any command on your PC, but the MS09-038 patch shuts the door.

Other critical fixes in the monthly batch apply more to businesses than to consumers. These include patches for the Remote Desktop Connection feature and the Windows Internet Name Service.

Browsers Bump Up

You'll also want to make sure your browser of choice is up-to-date as well. New versions of Firefox, Chrome, and Safari all came out in the past month or so.

A new Firefox 3.0 closes a hole in the browser's handling of SSL certificates that could allow an attacker to decipher encrypted traffic to and from a protected site, such as online banking sites. And a new 3.5 version fixes a JavaScript bug that criminals could use to install malware (also fixed in the new 3.0). Head to Help, Check for Updates to make sure you have at least Firefox 3.0.13 or Firefox 3.5.2.

Viewing a tainted image or site could trigger an attack for Safari users who haven't picked up the latest patch for both Windows and Mac. Vulnerabilities involving the CoreGraphics and ImageIO components affect only Windows, but problems in the WebKit browser core affect Macs as well, as does a flaw that could promote a malicious site in the Top Sites page. Run the Apple Software Update tool to confirm that you have Safari 4.0.3 or later.

Google Chrome received an automatically distributed update to 2.0.172.43. This version closes high-priority holes that could allow an attacker to launch attacks via poisoned XML or JavaScript on a Web page; it also includes a restriction against SSL certificates signed with old and insecure algorithms. See Google's Blogspot post for more details.

Security Updates for Macs

Mac OS X 10.5.8 fixes a wide range of vulnerabilities, including some that could hand control to an attacker if you view a poisoned image or Web site crafted with malicious XML. While Mac users are still immune to the vast majority of Windows-centric malware, Mac-specific threats are now appearing, as evidenced by Apple's inclusion of malware scans in Mac OS X Snow Leopard that will attempt to block two known Mac Trojan horses. Run Software Update from the Apple menu to pick up the new OS X, and see Apple's support site for full details.

Speaking of Snow Leopard, the new OS installs an old, unsafe version of Adobe's Flash, even if you had a new, fixed version of Flash before upgrading. Check your current version at Adobe's Flash version test page, and if necessary nab the latest version.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Mac OS XWindows VistaGoogle Chromesafarimozilla firefoxweb browsers

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Erik Larkin

PC World (US online)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?