The Register®

Original URL: http://www.theregister.co.uk/2009/10/14/microsoft_patch_tuesday_oct_2009/

Microsoft's Patch Tuesday fixes record number of flaws

SSL spoof bug finally put to rest

By Dan Goodin

Posted in Security, 14th October 2009 00:09 GMT

Free whitepaper – Hands on with Hyper-V 3.0 and virtual machine movement

Microsoft on Tuesday patched a record number of security holes in its Windows operating systems and other software, a haul that included at least one security flaw that was already under attack in the wild.

One of the updates fixed a vulnerability in Windows Media Runtime [1] that allows an attacker to remotely execute malware by tricking a user into playing a booby-trapped audio or video file. A few hours after its release, a Microsoft spokesman said company researchers have "seen limited attacks trying to use the reported vulnerability."

The bug is rated critical on every version of Windows.

A separate update fixed a bug that left users of the Internet Explorer, Google Chrome, and Apple Safari for Windows browsers vulnerable to forged secure sockets layer [2] certificates. The flaw in Microsoft's CryptoAPI, was disclosed 10 weeks ago [3], but took on more urgency after a hacker published a counterfeit certificate [4] for PayPal that made it trivial for someone mounting a man-in-the-middle attack to impersonate the online payment processor.

The patch batch also included a fix the SMB2 file-sharing technology that was added to Vista and later versions of Windows. Four weeks ago [5], white-hat hackers developed a reliable way to target the critical vulnerability, but there still are no reports of it being exploited in the wild.

As always, Microsoft provides a visual chart [6] that provides a summary of the releases, though you may prefer this roundup [7] from the Sans Internet Storm Center. ®