Network News

X My Profile
View More Activity

Microsoft Fixes 19 Windows Security Flaws

Microsoft today issued a raft of software updates to plug at least 19 security holes in its various Windows operating systems and other software, 15 of which earned the company's most dire "critical" rating.

This month's batch of patches fix some fairly dangerous flaws. Redmond labels a security flaw "critical" if attackers could use it to seize control over a vulnerable system without any help from the victim. What's more, a dozen of the flaws earned the highest rating on Microsoft's "exploitability index," which is the software maker's best estimation of the likelihood that criminals will soon develop reliable ways to exploit them to break into Windows-based machines.

Patches are available for Windows 2000, XP, Vista, Windows Server 2003 and Windows Server 2008. Microsoft said none of the vulnerabilities affect Windows 7, its newest operating system. Windows users can download the updates from Windows Update or via Automatic Updates

Many of the flaws fixed this month stem from faulty ActiveX controls, tiny programs built to work with Internet Explorer that have full access to the Windows operating system. As a result, flaws in ActiveX controls can give hackers extremely powerful tools with which to take over vulnerable systems. In my opinion, ActiveX flaws are among the prime reasons to browse the Web with an alternative browser, such as Firefox or Opera. Indeed, according to Microsoft, all of these ActiveX vulnerabilities can be exploited merely by convincing an Internet Explorer user to visit a hacked or malicious Web site.

At least five of the vulnerabilities are ActiveX flaws associated with a software development "template" or code library that Microsoft makes available to other software makers and uses throughout Windows. Last month, Microsoft issued an emergency update to fix this flawed template, known as an "active template library" or ATL, and the company says attackers are currently exploiting at least one of those ATL flaws.

Today's release also fixes four ActiveX flaws that shipped with most supported versions of Microsoft Office, including Office 2000 Web Components, Office XP, and Office 2003. Microsoft warns that at least one of these Office flaws is actively being exploited online.

Another notable update shipped this month fixes a pair of critical flaws in the way Windows processes .AVI files, meaning attackers could use this vulnerability to hijack Windows computers just by getting someone to open a booby-trapped video file.

As usual, please drop a line in the comments if you experience any problems installing these patches, or stability or usability issues after installing them. A breakdown of the vulnerabilities fixed in this month's patch release is available here.

By Brian Krebs  |  August 11, 2009; 3:01 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  | Tags: microsoft patch tuesday  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Russia-Georgia Conflict Blamed for Twitter, Facebook Outages
Next: Security Patch Catchup: Java, Safari & OS X


I like Microsoft, I think Vista 64 is a superior operating system, however, I wish they'd finally admit that ActiveX is a flawed architecture.

The plug-ins of Foxfire are more functional, are more secure and there is an entire ecosystem of plug-ins to support almost any need.

Maybe MS needs to stop haveing a NIH attitude.

Posted by: Ombudsman1 | August 11, 2009 11:15 PM | Report abuse

I'd be interested in seeing a demonstration of one of these security flaws in operation.
Is there a website or link to such a demonstration?

Posted by: edlharris | August 11, 2009 11:22 PM | Report abuse

Mentioned in the CERT advisory for this update was the Remote Desktop Connection software for Mac OS X.

Strangely, the "Check for updates" option in my 2.0.0 (vulnerable version) of RDC didn't recognize that there was an update available, and I had to go looking for the 2.0.1 version myself.

Posted by: Annorax | August 12, 2009 2:33 AM | Report abuse

After installing the available updates for my computer, (Vista) during the reboot process I got the famous blue screen. After twice turning off and then booting into safe mode I could not get it them to install, or get my computer to work. I had to restore my system to a prior date. Still working on resolution to install security updates without disabling computer.

Posted by: walt17 | August 12, 2009 7:45 AM | Report abuse

Although I generally use my Ubuntu computers, an elderly friend uses IE and Firefox, but her XP's default browser is IE. How does a person set the default browser? Eg, so that her default browser would be Firefox?

Posted by: TeresaBinstock | August 12, 2009 8:48 AM | Report abuse

For TeresaBinstock:

1. Open Firefox.
2. At the top of the Firefox windowOn the menu bar, click on the ToolsFirefoxEdit menu, and select Options...Preferences....
3. Select the Advanced panel, then click the General tab, and then click Check Now.
4. Select Yes to set Firefox as your default browser.

I got this right out of Firefox's help. For all the pictures and some additional steps if you have a problem here is the link.

Posted by: drweidner1 | August 12, 2009 9:42 AM | Report abuse

TeresaBinstock, in Windows XP you can do the following : First download and install the latest version of Mozilla Firefox ( Then, click «Start» → «Control Panel» → «Add or Remove Programs» → «Set Program Access and Defaults» → «Custom». Click the icon to the right of «Custom» to expand the category and choose «Mozilla Firefox» from the menu. Hope this helps !...


Posted by: mhenriday | August 12, 2009 9:46 AM | Report abuse

There was one security update for Windows 7. I am running the 64-bit RC version and Windows Update identified a critical update for it.

Posted by: JazzGuyy | August 12, 2009 9:46 AM | Report abuse

To set Firefox as default browser, after installing, on the menu bar, go to tools, then Options, and under Options, the Advanced tab. Then at the bottom, it allows you to set the browser (and test) as the default browser.

Posted by: TwoCentsWrth | August 12, 2009 9:54 AM | Report abuse

I started to download the MS updates filling in the required fields. But at the end I got this "error" message:

The portion of your e-mail address that follows the @ symbol is part of a "reserved domain" such as,, or Please type a different e-mail address.

I only have one computer - why would I have another e-mail address?

Posted by: blandamer | August 12, 2009 10:01 AM | Report abuse

@drweidner -- you beat me to it, thanks!

@JazzGuyy -- can you tell me what the KB number is of the patch that was installed? you should be able to tell by looking at the Windows Update history, or the installed programs. thanks!

Posted by: BTKrebs | August 12, 2009 10:04 AM | Report abuse

It is too bad for all of this to happen but I am a Macintosh user and was wondering if the fixes have been applied to their Mac based software yet or if not are they planning to do it?

Posted by: perly1 | August 12, 2009 10:19 AM | Report abuse

Hey edlharris, if you have to ask that question on this web site, then you should not be playing with fire.

If you knew what you were doing well enough to play with these things, you would be in the loop and you would not have to ask.

Posted by: frantaylor | August 12, 2009 10:32 AM | Report abuse

I use Firefox; It's set to be my computer's "default browser." I've tried to un-install MS Internet Explorer and Outlook. I've set my Firewall and internet security programs not to allow IE and Outlook to go out to the internet. Still, some applications on my computer will automatically start these programs, and they still run. Do the MS security updates re-install or re-enable IE and Outlook? Is there any way to get rid of Active-X, and would we want to do this? This whole mess is a powerful incentive to buy and learn Unix.

Posted by: JKGordon | August 12, 2009 10:37 AM | Report abuse

Suppose my machine is already being exploited. Will these updates fix it?

Posted by: ffoulks | August 12, 2009 10:48 AM | Report abuse

JKGordon, you can't get rid of ActiveX, and you can't get rid of IE.

It would be like trying to get rid of the shell on a Unix machine. You would be removing functionality that is required for basic operation.

Yes, of course it is beyond foolish to require web browser functionality in order to have a functional computer. But remember who we are dealing with here, it is really a bit much to expect Microsoft to think things through.

Posted by: frantaylor | August 12, 2009 10:51 AM | Report abuse

BTW, most of the patches in the update I was offered aren't listed in the summary at the link you included at the end of this column. Isn't it a poor idea to blindly install all of the patches if we're not using the MS programs and services that the patches are designed to protect?

Posted by: JKGordon | August 12, 2009 10:51 AM | Report abuse

the link you included at the end of this column:

Posted by: JKGordon | August 12, 2009 10:52 AM | Report abuse

ffoulks: No, the only way to be sure is to re-install the operating system from scratch and immediately run Windows Update. If you REALLY want to be sure, you should run a utility that will wipe your disk clean before reinstalling.

This is YET ANOTHER reason why you should ALWAYS have backups of your data. That way you can easily reinstall when you are having problems.

If you don't have the original disks for your computer so that you can reinstall, well, you are just playing with fire.

Posted by: frantaylor | August 12, 2009 10:55 AM | Report abuse

JKGordon, these updates fix many things, not just the security problems mentioned. Even if you do not run IE. Firefox must use bits and pieces of IE in order to function on the Windows platform, so even Firefox can be affected by these issues.

Posted by: frantaylor | August 12, 2009 11:00 AM | Report abuse

Teresa, you might also want to take a look at the settings in "Set Program Access and Defaults," which is accessible from the Start menu on our computer (Windows XP).

Posted by: Heron | August 12, 2009 11:17 AM | Report abuse

JKGordon - What version of Windows are you using? What updates were you offered? And where did the offer come from? That is, did you got to or did the little icon down by your clock tell you that you had updates?

Posted by: drweidner1 | August 12, 2009 11:40 AM | Report abuse

Thank you to all who have provided instructions for making Firefox the default browser on an XP machine.

Posted by: TeresaBinstock | August 12, 2009 12:25 PM | Report abuse

Why so long? Whatcha been up to, El Gato? Been down in the vault, countin' your money, like Scrooge McDuck? Hey, he's still usin' XP! QUACK.

Posted by: JONWINDY | August 12, 2009 1:43 PM | Report abuse

This is a link to a tool to diagnose Blue Screens:

Posted by: Ricardo3 | August 12, 2009 3:56 PM | Report abuse

After getting the last update, and restarting to finish the installation, I'm currently waiting 3 hours for my computer to restart. Thanks for the help.

p.s. you owe me a crop of raspberries, and grapes on farmtown. :P

Posted by: hermit3 | August 13, 2009 11:21 AM | Report abuse

The Windows 7 update addresses KB973540 (MS09-037). It is marked as "important" rather than critical, as I initially thought. Interestingly, if you look this up at Microsoft, it says the issue is not a Windows 7 issue. Obviously, it is; just not a critical one.

Posted by: JazzGuyy | August 14, 2009 8:58 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company