Microsoft has distributed nine patches, six rated "critical," including one that complemented an out-of-band fix issued late last month.
MS09-037 addresses five vulnerabilities in the Active Template Library (ATL), which, if exploited, could enable execution of remote code if a specially crafted ActiveX control is hosted on a malicious website.
"Microsoft evaluated all of their ActiveX controls that ship in the box and they found five of them that were built on the insecure template library," Eric Schultze, CTO of Shavlik Technologies, provider of patch management solutions, told SCMagazineUS.com.
The patch was related to an out-of-cycle fix on July 28 that corrected issues in developer tools suite Visual Studio, which leverages the ATL to build ActiveX controls, as well as Internet Explorer.
Tuesday's update also includes a patch for an ActiveX vulnerability -- unrelated to the ATL bulletin -- that is being exploited in the wild. MS09-043 corrects a buggy Spreadsheet ActiveX control in Office Web Components, in addition to three other holes. The issue affects a number of software versions, including Office XP and 2003 Service Pack 3 (SP3) and Internet Security and Acceleration Server 2004 SP3 and 2006.
"We strongly encourage customers to review and deploy this bulletin, if applicable, given that we have seen exploitation in the wild," said Jerry Bryant, a Microsoft security program manager, on the company's Security Response Center Blog.
Other fixes included MS09-038, which took care of two flaws in the way Windows Media files are processed. Attackers can infect users by tricking them into opening a malicious AVI file.
Also, the update repaired two vulnerabilities in the WINS (Windows Internet Name Service) server on Windows 2000 or Server 2003. The flaws could be taken advantage of to launch an "unauthenticated, self-replicating attack across the network," Bryant said.
Jonathan Bitle, technical director at vulnerability management provider Qualys, said the patches should remind administrators to instruct end-users to practise safe computing and not click on untrusted links or files.
"Obviously, education is a key component of all of these [patches]," he told SCMagazineUS.com.
The update also included a non-security advisory, which announced a new feature called Extended Protection for Authentication, designed to bolster the vetting of network connections to Windows.
See original article on scmagazineus.com
Microsoft pushes out ATL, ActiveX fixes
By
Dan Kaplan
on
Aug 12, 2009 10:35AM
The software giant has cleaned up its flawed Active Template Library, in addition to issuing a host of other patches.
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
Promoted Content
Avoiding CAPEX by making on-premise IT more cloud-like
Promoted Content
Winning strategies for complaints and disputes management in financial services
Promoted Content
Security: Understanding the fundamentals of governance, risk & compliance
Promoted Content
Why rethinking your CMS is crucial for customer retention
Sponsored Whitepapers
Free eBook: Digital Transformation 101 – for banks
Why financial services need to tackle their Middle Office
Learn: The latest way to transfer files between customers
Extracting the value of data using Unified Observability
Planning before the breach: You can’t protect what you can’t see
.png&h=146&w=240&c=1&s=0)