Microsoft released nine security bulletins Aug. 11 for Patch Tuesday, swatting a number of critical bugs.
All told, the bulletins address 19 vulnerabilities across Microsoft Windows, Microsoft Office, Visual Studio and other products. Among the vulnerabilities is a bug in Microsoft Office Web Components that has been exploited in the wild. According to Microsoft, the bug-one of four patched today within Web Components-resides in the Spreadsheet ActiveX control. When the ActiveX control is used in Internet Explorer, the control can corrupt the system state and permit an attacker to run arbitrary code.
Information on mitigations and workarounds can be found here.
Five of the nine bulletins are rated “critical,” including MS09-037, part of the continued fallout from vulnerabilities affecting the Microsoft ATL (Active Template Library). The bulletin covers five vulnerabilities across both the private version of the library used internally by Microsoft and the public version shared with third-party developers.
“The issue is that developers have been including this flawed code in ActiveX controls for over 10 years,” noted David Dewey of IBM ‘s X-Force research team. “This results in an innumerable amount of vulnerable controls that were developed by third parties and are currently being used in the public. Microsoft has done a great job of providing all the details a developer would need to correct potentially vulnerable controls, but the onus is now on the developer to make the appropriate changes.”
The other critical bulletins include patches for vulnerabilities in Windows Media file processing, WINS (the Windows Internet Name Service) and Microsoft Remote Desktop Connection. The remaining four bulletins are all rated “important” and cover issues in Windows. Two of those four cover privilege escalation situations, while the other two affect remote code execution and DoS (denial of service) issues.