Microsoft pushes out ATL, ActiveX fixes

By

The software giant has cleaned up its flawed Active Template Library, in addition to issuing a host of other patches.

Microsoft has distributed nine patches, six rated "critical," including one that complemented an out-of-band fix issued late last month.

MS09-037 addresses five vulnerabilities in the Active Template Library (ATL), which, if exploited, could enable execution of remote code if a specially crafted ActiveX control is hosted on a malicious website.

"Microsoft evaluated all of their ActiveX controls that ship in the box and they found five of them that were built on the insecure template library," Eric Schultze, CTO of Shavlik Technologies, provider of patch management solutions, told SCMagazineUS.com.

The patch was related to an out-of-cycle fix on July 28 that corrected issues in developer tools suite Visual Studio, which leverages the ATL to build ActiveX controls, as well as Internet Explorer.

Tuesday's update also includes a patch for an ActiveX vulnerability -- unrelated to the ATL bulletin -- that is being exploited in the wild. MS09-043 corrects a buggy Spreadsheet ActiveX control in Office Web Components, in addition to three other holes. The issue affects a number of software versions, including Office XP and 2003 Service Pack 3 (SP3) and Internet Security and Acceleration Server 2004 SP3 and 2006.

"We strongly encourage customers to review and deploy this bulletin, if applicable, given that we have seen exploitation in the wild," said Jerry Bryant, a Microsoft security program manager, on the company's Security Response Center Blog.

Other fixes included MS09-038, which took care of two flaws in the way Windows Media files are processed. Attackers can infect users by tricking them into opening a malicious AVI file.

Also, the update repaired two vulnerabilities in the WINS (Windows Internet Name Service) server on Windows 2000 or Server 2003. The flaws could be taken advantage of to launch an "unauthenticated, self-replicating attack across the network," Bryant said.

Jonathan Bitle, technical director at vulnerability management provider Qualys, said the patches should remind administrators to instruct end-users to practise safe computing and not click on untrusted links or files.

"Obviously, education is a key component of all of these [patches]," he told SCMagazineUS.com.

The update also included a non-security advisory, which announced a new feature called Extended Protection for Authentication, designed to bolster the vetting of network connections to Windows.


See original article on scmagazineus.com

Microsoft pushes out ATL, ActiveX fixes
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
activeactivexfixesflawlibrarymicrosoftpatchsecuritytemplatetuesday

Sponsored Whitepapers

See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy
Byte Delivers Future-Ready IT: Transforming Endpoint Security and Productivity with a Cloud-First Strategy

Events

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames
Victoria's Secret pulls down website amid security incident

Victoria's Secret pulls down website amid security incident
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?