Feeds

Nine MS security bulletins create busy updates workload

Patches needed for almost everything - except IE

Seven Steps to Software Security

Microsoft released the expected nine patches - five critical - as part of a busy August Patch Tuesday update that focuses primarily on client-side vulnerabilities.

The bulletins collectively address 19 security flaws. The batch includes a bulletin covering a flaw in Office Web Components (MS09-043) that has served as the fodder for active hacking attacks since June. Users are open to attack if they stray onto sites hosting exploit code. A separate critical update for Windows Media Player (MS09-038) addresses a flaw that created a means to hack systems after tricking users into playing malformed AVI files.

Another update fixes five ActiveX controls that were made using a vulnerable version of the ATL library template. The root cause of this flaw - which has affected third party applications developers such as Adobe as much as Microsoft - was addressed in the MS09-035 out of sequence update in late July.

Flaws in Remote Desktop Protocol (RDP - formerly known as Terminal Services) that create a drive-by download attack risk are also addressed in the patch Batch.

On the server-side, the worst of the critical flaws addresses a severe threat for WINS servers on Microsoft networks. The flaw creates a means to mount an unauthenticated server-side attack. Providing an attacker can smuggle malicious packets past a firewall, the bug, if left unaddressed, creates a means to execute arbitrary code on a server.

Other "important updates" address flaws in Workstation service, Windows Message Queuing Service (MSMQ) services, Telnet and a denial of service vulnerability in ASP.NET.

A Microsoft summary can be found here, and an easier to digest "Black Tuesday" overview from the SANS Institute's Internet Storm Centre can be found here. Microsoft's summary of affected software reveals that all supported versions of Windows (client and server) will need updates for one reason or another. Office suites also need patching because of the Office Web Components flaw, which affects server applications including BizTalk and ISAS.

Eric Schultze, CTO at patch management firm Shavlik and a former programme manager for the Microsoft Security Response Centre, explained: "The bulletins cover a gamut of affected products - almost everything in your enterprise will need to be patched today with the exception of Internet Explorer."

Wolfgang Kandek, CTo at vulnerability assessment firm Qualys, commented: "There are five critical patches that can all be exploited remotely and four important ones that require direct access to the system for exploitation."

"Although this is a big release, there are no surprises in it as it addresses an outstanding public zero-day vulnerability and it includes an official patch for the out-of-band patch released in July for MS09-034. As always users are urged to review these critical patches carefully against their environment and apply them as soon as possible," he added. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.