Bugs & Fixes: Firefox Squashes a Buggy Microsoft Plug-In

Redmond turned red-faced upon learning that an automatically installed Microsoft Windows Presentation Foundation plug-in for Firefox opened a major security hole. Following Microsoft's disclosure of the bug, Mozilla blocked the plug-in. According to Mozilla, Microsoft agreed with the move, even though it had released a patch to close the underlying flaw.

Simultaneously,The move coincided with Mozilla's launch of a new Plugin Check page designed to identify and update old and vulnerable plug-ins. The page checks only certain popular plug-ins right now, but it's a simple and handy security tool.

And to top off your Mozilla updates, be sure to pick up the Firefox 3.0.15 or 3.5.5 updates. These new versions close holes that mightcan allow JavaScript and other attacks. Click Help, Check for Up­­dates to ensure that you have the latest version.

Microsoft Patch Push

Microsoft delivered eight critical patches this month, including the Firefox fix, and another five patches that address other important Web-based threats.

An Internet Explorer patch wards off drive-by download attacks and fixes the Firefox plug-in vulnerability. It's rated critical for IE 5 on Windows 2000; IE 6 on XP and Server 2003; IE 7 on XP, Vista, Server 2003, and Server 2008; and IE 8 on Windows XP, Vista, 7, Server 2003, and Server 2008. See the MS09-054 bulletin for details.

Problems with the Microsoft Windows Graphics Device Interface (GDI+) could let an attacker take control of your PC if you view a tainted image on a Web page or open it in an affected program. The MS09-062 patch is critical for XP, Vista, Server 2003, and Server 2008, and needed for IE 6 on Win 2000.

Viewing a malicious streaming-media .asf file on a Web page or opening one in an affected program could launch an at­­tack on systems lacking the MS09-051 patch for Windows Media Runtime. It's critical for Windows 2000, XP, Vista, Server 2003, and Server 2008.

The associated MS09-052 patch for Windows 2000, XP, and Server 2003 fixes a hole in Windows Media Player; but the flaw can also be triggered by using the program to browse to a directory that contains a malicious file, according to security company Shavlik.

Microsoft Active Template Library gets more patches, in the form of the MS09-055 killbit patch for Windows 2000 and XP that disables troublesome ActiveX controls, and the MS09-060 fix for ActiveX controls that Office introduced. Office XP, 2003, and 2007 need the critical fix, as do the Visio 2002, 2003, and 2007 viewers.

A Tarnished Silverlight

The MS09-061 patch repels takeover attacks from malicious Web pages. It's critical if your Windows client (nonserver) installation or Mac has Silverlight installed, and it's important for Windows servers. The same patch closes holes in versions of .Net on Windows 2000, XP, Vista, and 7.

A final critical patch, MS09-050, fixes an SMB problem (discussed last month) affecting Vista and Server 2008. Unpatched PCs could be hit by a network-based attack.

Run Microsoft Update to ensure that you have all of these critical patches, along with the five security fixes rated Important. For a full list of this month's patches, see Microsoft's Security Bulletin Summary for October 2009.

Adobe Reinforcement

A huge patch for Adobe Reader and Acrobat closes 29 vulnerabilities. Windows, Mac, and Unix users with version 9.1.3 or 8.1.6 of either program need version 9.2 or 8.1.7; Windows and Mac users with version 7.1.3 need version 7.1.4. Click Help, Check for Updates to pick up the latest version available.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
  
Shop Tech Products at Amazon