Microsoft pushes out patches for 19 vulnerabilities for Patch Tuesday. The August fixes cover a number of products, including Windows and Office Web Components. The security bulletins also address vulnerabilities in Microsoft's Active Template Library.
released nine security bulletins Aug. 11 for Patch Tuesday, swatting
a number of critical bugs.
All told, the bulletins address 19 vulnerabilities across Microsoft Windows,
Microsoft Office, Visual Studio and other products. Among the vulnerabilities
is a bug in Microsoft
Office Web Components that has been exploited in the wild.
Microsoft, the bug-one of four patched today within Web Components-resides in
the Spreadsheet ActiveX control. When the ActiveX control is used in Internet
Explorer, the control can corrupt the system state and permit an attacker to
run arbitrary code.
Information on mitigations and workarounds can be
Five of the nine bulletins are rated "critical," including MS09-037,
part of the continued fallout from vulnerabilities
affecting the Microsoft ATL (Active Template Library).
The bulletin covers
five vulnerabilities across both the private version of the library used
internally by Microsoft and the public version shared with third-party
"The issue is that developers have been including this flawed code in
ActiveX controls for over 10 years," noted David Dewey of IBM
's X-Force research team. "This results in an innumerable amount of
vulnerable controls that were developed by third parties and are currently
being used in the public. Microsoft has done a great job of providing all the
details a developer would need to correct potentially vulnerable controls, but
the onus is now on the developer to make the appropriate changes."
include patches for vulnerabilities in Windows Media
file processing, WINS (the Windows Internet
Name Service) and Microsoft Remote Desktop Connection. The remaining four
bulletins are all rated "important" and cover issues in Windows. Two
of those four cover privilege escalation situations, while the other two affect
remote code execution and DoS (denial of service) issues.