Nine MS security bulletins create busy updates workload

Patches needed for almost everything - except IE

Got Tips? 5 Reg comments

Microsoft released the expected nine patches - five critical - as part of a busy August Patch Tuesday update that focuses primarily on client-side vulnerabilities.

The bulletins collectively address 19 security flaws. The batch includes a bulletin covering a flaw in Office Web Components (MS09-043) that has served as the fodder for active hacking attacks since June. Users are open to attack if they stray onto sites hosting exploit code. A separate critical update for Windows Media Player (MS09-038) addresses a flaw that created a means to hack systems after tricking users into playing malformed AVI files.

Another update fixes five ActiveX controls that were made using a vulnerable version of the ATL library template. The root cause of this flaw - which has affected third party applications developers such as Adobe as much as Microsoft - was addressed in the MS09-035 out of sequence update in late July.

Flaws in Remote Desktop Protocol (RDP - formerly known as Terminal Services) that create a drive-by download attack risk are also addressed in the patch Batch.

On the server-side, the worst of the critical flaws addresses a severe threat for WINS servers on Microsoft networks. The flaw creates a means to mount an unauthenticated server-side attack. Providing an attacker can smuggle malicious packets past a firewall, the bug, if left unaddressed, creates a means to execute arbitrary code on a server.

Other "important updates" address flaws in Workstation service, Windows Message Queuing Service (MSMQ) services, Telnet and a denial of service vulnerability in ASP.NET.

A Microsoft summary can be found here, and an easier to digest "Black Tuesday" overview from the SANS Institute's Internet Storm Centre can be found here. Microsoft's summary of affected software reveals that all supported versions of Windows (client and server) will need updates for one reason or another. Office suites also need patching because of the Office Web Components flaw, which affects server applications including BizTalk and ISAS.

Eric Schultze, CTO at patch management firm Shavlik and a former programme manager for the Microsoft Security Response Centre, explained: "The bulletins cover a gamut of affected products - almost everything in your enterprise will need to be patched today with the exception of Internet Explorer."

Wolfgang Kandek, CTo at vulnerability assessment firm Qualys, commented: "There are five critical patches that can all be exploited remotely and four important ones that require direct access to the system for exploitation."

"Although this is a big release, there are no surprises in it as it addresses an outstanding public zero-day vulnerability and it includes an official patch for the out-of-band patch released in July for MS09-034. As always users are urged to review these critical patches carefully against their environment and apply them as soon as possible," he added. ®

Sponsored: Webcast: Simplify data protection on AWS

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

Zuckerberg

NSO Group: Facebook tried to license our spyware to snoop on its own addicts – the same spyware it's suing us over

Antisocial network sought surveillance tech to boost its creepy Onavo Protect app, it is claimed
ban

Spyware maker NSO can't claim immunity, Facebook lawyers insist – it's time to face the music

Software developers aren't nation states, antisocial giant points out
Someone on a cliff wearing a virtual reality headset

Virtual reality is a bonkers fad that no one takes seriously but anyway, here's someone to tell us to worry about hackers

Enigma If printers and nuclear reactors on the internet are fair game, so's the gizmo on your face, we'll concede

We are shocked to learn oppressive authoritarian surveillance state China injects spyware into foreigners' smartphones

Border cops accused of loading tourists' mobiles up with snoop app in Muslim area
Three people looking at the Golden Gate Bridge, San Francisco, California

Spyware slinger NSO to Facebook: Pretty funny you're suing us in California when we have no US presence and use no American IT services...

Malware maker urges judge to dump lawsuit over WhatsApp phone snooping

Mozilla plugs two Firefox browser holes exploited in the wild by hackers to hijack victims' computers

Update now before it's too late
Red alert light

It's 2020 and hackers are still hijacking Windows PCs by exploiting font parser security holes. No patch, either

Spreading in the wild, no vaccine, people told to distance themselves from dodgy sources... sounds familiar
Protestors in Hong Kong

China's Winnti hackers (apparently): Forget the money, let's get political and start targeting Hong Kong students for protest info

Supply-chain hackers now taking aim at kids fighting for democracy, say researchers

Biting the hand that feeds IT © 1998–2020