Bugs and Fixes: Stymie Malicious Media, Network Attacks
Essential OS fixes are big this month. And fans of free software need to update their Firefox and OpenOffice copies.
Apple's QuickTime 7.6.4 update revises the program's handling of .fpx, .mov, and .mp4 files on Windows XP, Vista, or 7, or Mac OS X (not Snow Leopard). In QuickTime, click Help•Update Existing Software to ensure that you have version 7.6.4 (for details, see Apple's "About the security content of QuickTime 7.6.4" page).
Microsoft's patch plugs a security hole in the way Windows 2000, XP, Server 2003, Vista, and Server 2008 (but not Windows 7) process .asf or .mp3 media files. Microsoft's Security Bulletin MS09-047 lists many vulnerable combinations of Windows Media Format Runtime and OS versions; run Windows Update to confirm you have the fix.
Windows Vista and Server 2008 are vulnerable to several network-based security flaws. One, an SMBv2 file-sharing hole could let a remote attacker take over a machine. Microsoft hasn't yet released a patch, but the company has posted a "Fix It" for disabling SMBv2. File sharing should work, but it may be slow.
Microsoft did patch a flaw that malicious TCP/IP packets sent across a network might exploit. On Vista and Server 2008, that could mean a full takeover; on Windows 2000, Server 2003, and XP, a system crash is likelier. Microsoft won't release a patch for Windows 2000 (see Microsoft Security Bulletin MS09-048) or XP (which by default doesn't accept the perilous packets).
A network problem in the Wireless LAN AutoConfig Service (see Microsoft Security Bulletin MS09-049) could let remote attackers "own" vulnerable Vista or Server 2008 systems. PCs that lack wireless cards or run other Windows versions are safe. A firewall will help block such Web-based assaults.
Two more Microsoft patches correct critical flaws that might let code hidden on a Web page run commands on a vulnerable PC. One, in the JScript Scripting Engine (see Microsoft Security Bulletin MS09-045), affects Windows 2000, XP, Server 2003, Vista, and Server 2008. The other involves the DHTML Editing Component ActiveX control (see Microsoft Security Bulletin MS09-046), and is critical for Windows XP and 2000 only. Windows Update has both fixes, as usual.
Fixes for Free Software
If you use the OpenOffice productivity suite, update to version 3.1.1 or later to avoid a critical problem in how OpenOffice handles Microsoft Word documents. If you open a tainted .doc file, an attacker could take over your PC. Click Help•Check for Updates to see whether you have the latest version (for more details, see OpenOffice.org's 3.1.1 Release Notes).
Firefox 3.0 and 3.5 include a security feature that warns you to update Flash if your version is vulnerable; they also provide a link to the Flash download site.
If you use Mac OS X versions 10.4 through 10.5.8, fire up Software Update to pick up Security Update 2009-005, which fixes image file, PDF file, or Web site holes.