Microsoft patches 19 bugs in sweeping security update

Fixes software affected by its own development code bug, plugs holes already exploited

Microsoft today delivered nine security updates that patched 19 vulnerabilities in several crucial components of Windows, as well as in Windows Media Player, Outlook Express, IIS (Internet Information Server), Office and several other products.

Security researchers pegged Tuesday's batch as "all over the map" and a "smorgasbord" of updates.

Included in today's patches were five that plugged holes that Microsoft's own software inherited from a buggy code "library," dubbed ATL (Active Template Library), that the company and others rely on to create their programs.

"This is certainly a hodgepodge," said Andrew Storms, director of security operations at nCircle Network Security. "There's no real pattern this month. I'd call it a smorgasbord."

"It's a big pile of messy stuff," said Eric Schultze, chief technical officer at Shavlik Technologies. "Everything is impacted except for Internet Explorer."

Josh Abraham, a security researcher at Rapid7, agreed. "There are a ton of things all over the map here."

Five of the updates were pegged as "critical," the most serious ranking in Microsoft's four-step scoring system, while four were marked "important," the next rating down.

The big story today, agreed security experts, was MS09-037, the update that fixed five vulnerabilities in several Microsoft-made Windows components caused by bugs in ATL.

"This one is just awful," said Abraham, referring to the ATL update.

Schultze, who called the ATL fixes a "whole handful," also ranked MS09-037 at the top of today's list. "There are five individual patches for five individual controls, each used in different [Microsoft] software. It's good that Microsoft's patched this, but it's going to be really difficult for people to patch."

Storms, however, was surprised by the small number of ATL-related patches. "We expected a slew of ATL patches," he said, "although we only got five. But I expect that we'll see more and more ATL bugs from Microsoft in the next couple of months."

Schultze, who once worked at Microsoft, said he had been told by sources inside the company that with the exception of one still-open investigation, today's fixes patch all ATL-related vulnerabilities in software that ships as part of Windows. "They might have it licked," he said, but warned that Microsoft has yet to dig into other ActiveX controls it's crafted that don't ship "in the box," or come on the operating system's installation CD.

The ATL vulnerabilities were introduced when a Microsoft programmer added an extra "&" character to the widely-used library.

Two weeks ago, Microsoft rushed a pair of emergency updates to users that plugged multiple holes in IE and Visual Studio. Those vulnerabilities were traced to ATL.

Another high-profile update is MS09-043, which patches four critical vulnerabilities in Office Web Components (OWC), a set of ActiveX controls that let users publish Word, Excel and PowerPoint documents on the Web, then view them within Internet Explorer (IE).

Last month, Microsoft warned users of attacks exploiting the ActiveX control that displays Excel spreadsheets in IE, but the company was unable to patch it in time to meet the July update schedule. Security experts had predicted that Microsoft would fix the flaw today.

Users should patch the OWC bugs immediately, Abraham argued. "Anything, like this, that's been turned into a Metasploit module and weaponized should be patched as soon as possible," he said, talking about the popular penetration testing framework that both hackers and legitimate security researchers rely on for developing exploits.

Sheldon Malm, Rapid7's senior director of security strategy, urged Windows users to look beyond MS09-037 and MS09-043, the two updates he thought would get the most media attention today. He, as well as Schultze, singled out two other bulletins -- MS09-039 and MS09-042 -- that patched the Windows Internet Name Service (WINS) and Telnet components, respectively. "On the other end of the spectrum you've got WINS and Telnet," said Malm, who predicted that their updates would be largely ignored, at least initially.

Abraham also called out MS09-044, a two-patch update for Remote Desktop Connection, software used by both client and server versions of Windows, as well as by some Mac users, to access applications and data on a remote system over a network.

Any other month, said Abraham and Malm, that update would likely rise to the top of the to-do list. "But it's flying under the radar because of the media hype about ATL and OWC," said Malm.

All four security experts also put the spotlight on MS09-038, which patches two vulnerabilities in Windows' handling of the popular AVI media file format.

"This is a classic example of a media file format bug that once you view a malicious video, you get owned," Storms said, adding that they may be ripe for worm exploitation. "All the potential is there," he said.

"Exploits of this will use a unique attack vector," agreed Abraham, who said it was notable because attacks could be based on malicious video clips. "That's a departure from the standard, and speaks volumes about how rich media has become crucial to the Internet." Attackers could exploit the media format flaws by duping users into visiting Web sites that host rigged video.

"We're going to feel the 19 [vulnerabilities] this month," Storms said. "Because of the disparate systems that need to be patched and the wide variety of software that must be tested, everyone will be feeling the pain this month."

"Microsoft's dumping a huge chunk on people today," Malm agreed.

The August updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

More about: ATL, etwork, Excel, INS, Microsoft, nCircle, nCircle Network Security, Shavlik, Shavlik Technologies
References show all

Comments

1

Anonymous

Thu 13/08/2009 - 16:20

I have a math assignment due and microsoft automatically updated! It is due tomorrow and my document wont open! its just blank! I try to open it and theres not even a blank page. The thing just shows a blank black area where the page should be. When I close the program, it says it has encountered and error and cannot find the problem, even after running diagnostics! Now none of my schoolwork is viewable! help me please someone, how do i reverse this update?

2

gnome

Thu 13/08/2009 - 17:56

It's a bit late for the assignment, but the not-so-quick fix is to turn off automatic updates AND then make sure you download them when YOU want to.

And the long term fix is - ABW (anything but windo$e).

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Microsoft, Office, Windows, Windows media player
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/165/billings/

Billings

Billings allows you to present clients with professional looking invoices. There are 30 templates to choose from and you can add your own logo and ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia