August 2009 Bulletin Release

Summary of Microsoft’s Security Bulletin Release for August 2009

Hi everyone,

This month, we released nine security bulletins. Five of those are rated Critical and four have an aggregate severity rating of Important. Of the nine updates, eight affect Windows and the last one affects Office Web Components (OWC). It is also important to note that five of the six critical updates also have an Exploitability Index rating of “1” which means that we could expect there to be consistent, reliable code in the wild seeking to exploit one or more of these vulnerabilities within the first 30 days from release. The chart below shows the aggregate severity summary and exploitability index ratings for all nine bulletins. This overview chart should guide you in prioritizing this month’s updates in order to protect your systems efficiently and effectively.

Of particular note in this release is MS09-037 which is an update for Microsoft Active Template Library (ATL). Among the five updates in this bulletin is a binary level update for the Microsoft Video ActiveX Control. As you may recall, we originally released Security Advisory 972890 on July 6 in response to an active attack against this component and subsequently released Security Bulletin MS09-032 to supply an official kill bit update (rather than the temporary Microsoft Fix it supplied with the advisory). All of the included vulnerabilities were privately reported, have a critical severity and are rated “1” on our exploitability index. We encourage you to deploy this update as soon as possible. We will be updating Security Advisory 973882 to include a reference to this bulletin as it relates to ATL.

Another of the updates I would like to draw your attention to is MS09-043, which addresses the Office Web Components vulnerability discussed in Security Advisory 973472. We strongly encourage customers to review and deploy this bulletin if applicable given that we have seen exploitation in the wild. Even though this update addresses an ActiveX control issue, it is unrelated to the ATL issue we discuss in Security Advisory 973882.

If you are running a WINS server on either Windows 2000 or Windows Server 2003 then I would also call your attention to MS09-039 as this one has the potential for an un-authenticated, self-replicating attack across the network. Installing the update will protect your systems should any attacks be developed to exploit the vulnerabilities addressed in this update but at this time, we are not aware of any exploit code in the wild.

In the video below, Adrian Stone and I provide an overview of this month’s release and discuss the updates above in a little more detail. For even greater detail on all nine bulletins, please join us tomorrow, August 12 at 11:00 a.m. (UTC-7) for our monthly bulletin webcast where we will also address your questions concerning these updates. Click HERE to register >>

Get Microsoft Silverlight More viewing and listening options:

We are also re-releasing two bulletins this month:

  • MS09-029 to address a print spooler issue on various Windows platforms that could cause the print spooler to stop responding in certain scenarios. Please see Knowledge Base article 961371 for details.
  • MS09-035 to offer new updates for Visual Studio 2005 SP1, Visual Studio 2008 and Visual Studio 2008 SP1. The new security updates are for developers who use Visual Studio to create components and controls for mobile applications using ATL for Smart Devices. All Visual Studio developers should install these new updates so that they can use Visual Studio to create components and controls that are not vulnerable to the reported issues. For more information on this known issue, see Knowledge Base Article 969706.

To close this month’s blog post, I would encourage systems administrators and application developers to read through Security Advisory 973811 which was also released today. This is a non-security update that enables new protection technology that can be used to enhance the protection of credentials when authenticating network connections.

As always, please check the Security Research and Defense blog for additional technical information on these updates and we hope to see you at the webcast tomorrow.


Jerry Bryant

*This posting is provided "AS IS" with no warranties, and confers no rights*