Feeds

Nine MS security bulletins create busy updates workload

Patches needed for almost everything - except IE

Protecting against web application threats using SSL

Microsoft released the expected nine patches - five critical - as part of a busy August Patch Tuesday update that focuses primarily on client-side vulnerabilities.

The bulletins collectively address 19 security flaws. The batch includes a bulletin covering a flaw in Office Web Components (MS09-043) that has served as the fodder for active hacking attacks since June. Users are open to attack if they stray onto sites hosting exploit code. A separate critical update for Windows Media Player (MS09-038) addresses a flaw that created a means to hack systems after tricking users into playing malformed AVI files.

Another update fixes five ActiveX controls that were made using a vulnerable version of the ATL library template. The root cause of this flaw - which has affected third party applications developers such as Adobe as much as Microsoft - was addressed in the MS09-035 out of sequence update in late July.

Flaws in Remote Desktop Protocol (RDP - formerly known as Terminal Services) that create a drive-by download attack risk are also addressed in the patch Batch.

On the server-side, the worst of the critical flaws addresses a severe threat for WINS servers on Microsoft networks. The flaw creates a means to mount an unauthenticated server-side attack. Providing an attacker can smuggle malicious packets past a firewall, the bug, if left unaddressed, creates a means to execute arbitrary code on a server.

Other "important updates" address flaws in Workstation service, Windows Message Queuing Service (MSMQ) services, Telnet and a denial of service vulnerability in ASP.NET.

A Microsoft summary can be found here, and an easier to digest "Black Tuesday" overview from the SANS Institute's Internet Storm Centre can be found here. Microsoft's summary of affected software reveals that all supported versions of Windows (client and server) will need updates for one reason or another. Office suites also need patching because of the Office Web Components flaw, which affects server applications including BizTalk and ISAS.

Eric Schultze, CTO at patch management firm Shavlik and a former programme manager for the Microsoft Security Response Centre, explained: "The bulletins cover a gamut of affected products - almost everything in your enterprise will need to be patched today with the exception of Internet Explorer."

Wolfgang Kandek, CTo at vulnerability assessment firm Qualys, commented: "There are five critical patches that can all be exploited remotely and four important ones that require direct access to the system for exploitation."

"Although this is a big release, there are no surprises in it as it addresses an outstanding public zero-day vulnerability and it includes an official patch for the out-of-band patch released in July for MS09-034. As always users are urged to review these critical patches carefully against their environment and apply them as soon as possible," he added. ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.