Network News

X My Profile
View More Activity

Microsoft Patches Nine Security Flaws

Microsoft Corp. today issued software updates to plug at least nine different security holes in its various Windows operating systems and other software. Today's patch batch includes fixes for two very serious flaws that are actively being exploited by attackers to break into vulnerable PCs.

Redmond issued patches to fix the vulnerability in its Video ActiveX Control for Internet Explorer, as well as the DirectShow flaw in Windows. Criminals currently are using both security holes to plant rogue software on PCs when users visit certain hacked or malicious Web sites.

Contrary to what Microsoft itself said, the company did not release an official patch to plug the other ActiveX flaw hackers are actively exploiting -- which I first wrote about yesterday. Instead, it has released an interim workaround to blunt the threat from that weakness. Unfortunately, someone at Redmond seems to be a little confused about this point. In its advisory, Microsoft replaced the "Fix It" tool for this flaw with the erroneous statement: "Microsoft has completed the investigation into a public report of this vulnerability. We have issued security bulletin MS09-032 (http://go.microsoft.com/fwlink/?LinkId=157386) to address this issue." I have notified Microsoft and will post an update here when Microsoft has resolved this.

Also patched today were vulnerabilities in Microsoft Office, Internet Security and Acceleration (ISA) Server, Virtual PC and Virtual Server. The latter three are products mainly used by businesses.

Patches were released for Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. The updates are available through Windows Update, or via Automatic Updates.

As always, please drop us a line in the comments if you experience any issues after applying this updates.

Update, 4:37 p.m. ET: Microsoft appears to have revised its advisory, to put the "Fit It" tool back in for the vulnerability I wrote about yesterday.

By Brian Krebs  |  July 14, 2009; 4:28 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  | Tags: 0day, activex, patch tuesday  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Stopgap Fix for Critical Firefox 3.5 Security Hole
Next: Spammers, Virus Writers Abusing URL Shortening Services

Comments

After installing the updates, is it necessary/desirable to re-enable the features that we disabled with the interim patches? In particular, should we now run MicrosoftFixit50288.msi?

Posted by: artyaffe | July 14, 2009 6:02 PM | Report abuse

One curious thing with the update. Windows XP Home. When I updated the Toshiba Satellite laptop no reboot was requested. When I updated the Dell desktop it required a reboot. Wonder why.

Posted by: Eremita1 | July 14, 2009 6:09 PM | Report abuse

It's annoying that Microsoft hasn't updated the FixIt page for the DirectShow vulnerability linked above to let users know it's not needed any more if they are current with Windows Update. Also, it's not clear if we should UnFixIt before running Windows Update. Any idea if that's needed?

Posted by: JRandomHacker | July 14, 2009 6:26 PM | Report abuse

@artyaffe -- The ActiveX patches...basically they're doing the same thing the interim fix does -- killing the registry entry for that control. So, no, in short -- you don't need to re-enable those, and I doubt you'd ever miss them anyway. I'd like to see Microsoft make available a master list of All ActiveX controls, so that those who don't use IE can xnay this baloney once and for all.

Posted by: BTKrebs | July 14, 2009 7:21 PM | Report abuse

Great. The last MS updates installed .NET Framework Assistant in Firefox again, without the way to uninstall it (even after restarting) that was presented in your last column on the subject.

Posted by: jtprussell | July 14, 2009 8:15 PM | Report abuse

Internet Explorer is NOT the only application that employs ActiveX controls. Other vendor products do as well.

As I've said before, but its worth saying again, Microsoft patch Tuesday reminds us that there are always vulnerabilities that will be exploitable that are presently unknown to us today.

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/microsoft-patch-tuesday-reminds-us-how-vulnerable-pcs-are

As for re-enabling ActiveX controls after they've been disabled, if they are in fact being used by some application, well, yes, one must re-enable them if the respective patches do not. That to me is a vital question: do the patches undo the kill bits? The consequences to enterprises are obviously big.

As for dealing with ActiveX exploits:

http://www.blueridgenetworks.com/securitynowblog/endpoint_security/attack-exploit-internet-explorer-video-activex-windows-xp-antivirus-fails

The above is how I deal with them. I should disclose, however, that this involves a product I manage.

Posted by: eiverson1 | July 15, 2009 2:53 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company