Microsoft’s nine security bulletins released today close a range of security holes involving ActiveX controls, Windows Media files and other software that affect the full array of Windows versions.
A fix for a serious flaw in the Microsoft Office Web components, disclosed in July, patches an ActiveX problem that allows for a drive-by-download attack against Internet Explorer users. A wide range of Office installs and components need the fix, including Office XP and 2003 and the Web Components Service Pack 3 for Office 2000, XP and 2003. Office 2007 and Office 2004 and 2008 are safe, but BizTalk Server 2002, Visual Studio .NET 2003 and the Internet Security and Acceleration Server 204 and 2006 need patching. For a full list of affected software see the MS09-043 bulletin.
The next critical bulletin brings in more patches for the buggy Microsoft Active Template Library, which Redmond began to address in an emergency patch from last month. Today’s batch applies fixes for ActiveX flaws and drive-by-download risks that are critical for Windows 2000 SP4, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, according to the MS09-037 bulletin.
Poisoned media files prompted the next patch, which closes holes in the way that Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 all handle .AVI files. Opening a specially crafted file could allow an attacker to run any command on your PC, but the MS09-038 patch shuts the door.
A Remote Destop Connection security hole that allows for launching an attack from a malicious Web site picks up the fourth bulletin. If you have the default version of RDC, then it’s a critical fix for Windows 2000, XP, Server 2003 and Server 2008, and rated important for Vista and the RDC client for Mac 2.0. But if you have manually installed a newer RDC version on Vista that risk jumps up to critical. See the MS09-044 bulletin for a full list of RDC and Windows versions combinations and risk ratings; or better yet, just apply the fix via Automatic Updates and be done with it.
The final critical patch for this month will only affect Windows 2000 and Server 2003 installations that use the Windows Internet Name Service, which Microsoft says is not installed by default. Head to the MS09-039 bulletin for more details.
As per usual, you’ll get all these fixes by running Automatic Updates or manually running Microsoft Update. Doing so will also nab this month’s collection of less serious fixes, which cure ills in the Microsoft Telnet service (MS09-042), .NET Framework (MS09-036), Windows Message Queing Service (MS09-040) and the Windows Workstation Service (MS09-041). Attacks against these important-rated holes could result in denial-of-service, privilege escalation and/or login credential theft – nothing you’d want to deal with, but less dangerous than the critical risks that could by themselves allow for malware installation and the like.