Virulent Worm Exploits Missing Patches

— -- Think massive worm outbreaks are obsolete? Then say hello to the Conficker worm, aka Downadup. In January it slithered onto millions of computers unprotected by a critical patch that Microsoft had issued back in October.

The patch fixed a hole in the Windows Server service, most desktop and server versions of Windows use. Without it, a PC is vulnerable to attack by infected PCs across a network. A firewall can block external attacks of this sort, but business network firewalls generally offer little protection against threats from within the network. And businesses can be slow to patch company computers.

First double-check that you have the October patch noted above (available for Windows 2000, XP, Vista, Server 2003, and Server 2008) on both your home and work PCs, by running Windows Update. And be aware that a thumb drive or laptop you bring home from work can spread Conficker as well.

You also need to close a similar, newly discovered hole that exists in the Microsoft Server Message Block (SMB) protocol for file and printer sharing, which is critical for Windows 2000, XP, and Server 2003, and moderately important for Vista and Server 2008. Like the hole that the Conficker worm exploits, the SMB flaw lets an attacker launch a remote assault on a vulnerable computer and take complete control if successful. Again, a firewall can lower the risk, but be sure to get the patch via Windows Update or from Microsoft's site (Security Bulletin MS09-001).

Meanwhile, Apple has released QuickTime 7.6 to close seven serious flaws involving hacked movie files (including .avi and .mpeg types) and streaming video sites whose URLs open with rtsp://. Playing a tainted file or streaming video could relinquish control of your system to an attacker. You'll need the update if you run QuickTime on Mac OS X, Windows XP, or Windows Vista; nab it and more info from an Apple support page.

If you've installed the optional QuickTime MPEG-2 Playback Component under Windows XP or Vista, you'll need another high-priority Apple fix. Head to another Apple support page to determine whether you have the QuickTime extra and, if so, which version it is. If it's prior to version 7.60.92.0, get the free update to protect against malicious movie files.

Finally, if you're a Firefox 2 hold-out, be aware that the old browser's built-in antiphishing protection is now kaput. Firefox 2 version 2.0.0.19 or later will show it as disabled, and even though it may still appear to be enabled if you're using an older version, Google has cut off the data feed that told it which sites to block. Your best bet-by far-is to upgrade to Firefox 3, which supports active antiphishing and delivers nifty features like the so-called ‘Awesome Bar'.