Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Microsoft has distributed nine patches, six rated "critical," including one that complemented an out-of-band fix issued late last month.MS09-037 addresses five vulnerabilities in the Active Template Library (ATL), which, if exploited, could enable execution of remote code if a specially crafted ActiveX control is hosted on a malicious website."Microsoft evaluated all of their ActiveX controls that ship in the box and they found five of them that were built on the insecure template library," Eric Schultze, CTO of Shavlik Technologies, provider of patch management solutions, told SCMagazineUS.com.The patch was related to an out-of-cycle fix on July 28 that corrected issues in developer tools suite Visual Studio, which leverages the ATL to build ActiveX controls, as well as Internet Explorer.Tuesday's update also includes a patch for an ActiveX vulnerability -- unrelated to the ATL bulletin -- that is being exploited in the wild. MS09-043 corrects a buggy Spreadsheet ActiveX control in Office Web Components, in addition to three other holes. The issue affects a number of software versions, including Office XP and 2003 Service Pack 3 (SP3) and Internet Security and Acceleration Server 2004 SP3 and 2006."We strongly encourage customers to review and deploy this bulletin, if applicable, given that we have seen exploitation in the wild," said Jerry Bryant, a Microsoft security program manager, on the company's Security Response Center Blog.Other fixes included MS09-038, which took care of two flaws in the way Windows Media files are processed. Attackers can infect users by tricking them into opening a malicious AVI file. Also, the update repaired two vulnerabilities in the WINS (Windows Internet Name Service) server on Windows 2000 or Server 2003. The flaws could be taken advantage of to launch an "unauthenticated, self-replicating attack across the network," Bryant said.Jonathan Bitle, technical director at vulnerability management provider Qualys, said the patches should remind administrators to instruct end-users to practise safe computing and not click on untrusted links or files."Obviously, education is a key component of all of these [patches]," he told SCMagazineUS.com.The update also included a non-security advisory, which announced a new feature called Extended Protection for Authentication, designed to bolster the vetting of network connections to Windows.See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.