Microsoft on Tuesday issued nine security updates to patch 19 vulnerabilities. The bugs affect a wide range of Microsoft products, including Windows, Outlook Express, Windows Media Player, Office and Internet Information Server (IIS).
"Although this is a big release, its not surprising as it addresses an outstanding public zero-day vulnerability and it includes an official patch for the out-of-band patch released in July for MS09-034," said Jonathan Bitle, technical director at Qualys. "As always, users are urged to review these critical patches carefully against their environment and apply them as soon as possible."
There are five critical patches that can be exploited remotely and four important patches that require access to the system for exploitation. The five critical patches fix flaws in the MS Active Template Library (ATL). This patch supersedes the out-of-cycle patch Microsoft previously released. Microsoft also fixed a critical flaw in Windows Media Player and Windows Internet Name Service (WINS), as well as a zero-day vulnerability in Office and a patch to address a critical remote desktop vulnerability.
A Smorgasbord of Fixes
Many people are going to be looking at the WINS anonymous remote-code-execution attack as a potential worm vector, but they shouldn't minimize the IIS denial-of-service attack or Bulletin 038, according to Andrew Storms, director of security operations at nCircle. That's because these vulnerabilities mean anyone could become infected simply by opening a movie file.
"This month had the potential to be the month of ATL bug fixes, but it has turned out to be more of a smorgasbord. These updates are going to require lots of IT resources for testing and deployment ," Storms said. "At one end of the spectrum, we have the expected ATL client-side bug fixes. At the other end are server -side vulnerabilities covering IIS and WINS. The wide variety of the bugs means that IT security teams need to be smart about their resource allocation for patch testing this month."
The Most Dangerous Vulnerability
Tyler Reguly, a senior security engineer for nCircle, said the WINS vulnerability may be the most dangerous from a remote-code-execution perspective. There are probably quite a few organizations running WINS servers, he said, and many of them may not need to these days. He suggested it might be a good time to take stock of what exists on the network and disable unnecessary WINS servers. (continued...)