August Patch Brings Windows ATL Fixes, and More

Tuesday's nine security patches are all about networking, the Internet, servers and interoperable components that tie everything together.

Microsoft's August security update, released today, includes five "critical" and four "important" items. It's an example of Redmond playing catch-up on nagging security issues such as ActiveX controls, remote procedure call exploits and weaknesses in a media file parsing component. All in all, the patches address 19 vulnerabilities, 15 of which are rated as critical.

This relatively frothy slate of hotfixes comes after Redmond issued several off-cycle security bulletins and an out-of-band patch release in the last two months.

"After a summer of heavier-than-normal Patch Tuesdays, the last thing IT workers need is yet another large batch of patches from Microsoft," said Paul Henry a security and forensic analyst at Lumension. "Unfortunately, that is exactly what we got."

Security pros and network administrators will have their hands full. Deciding what to patch promises to be a tall order, with a mix of remote code execution (RCE), elevation-of-privilege and denial-of-service risk considerations.

"The potential danger is that many of these vulnerabilities can be exploited by simply getting a user to visit a Web page that contains malicious content," said Ben Greenbaum, senior research manager at Symantec Security Response. "For example, any user who has Microsoft Office on their machine could be vulnerable to the Microsoft Office Web Components vulnerabilities."

Critical Patches
The first critical fix resolves "several privately reported vulnerabilities" in Microsoft Office Web Components, a continuation from previous security advisories. The vulnerabilities could allow remote code execution via a malicious Web page. The patch affects Microsoft Office 2000 and 2003, as well as Microsoft Office Small Business Accounting 2006. However, this fix also relates to Visual Studio .NET 2003, ISA Server 2004 and 2006, plus BizTalk Server 2002.

The second critical fix addresses RCE exploits in supported Windows OS versions ranging from Windows 2000 to Windows Vista, as well as Windows Server 2003 and 2008. It also will plug holes in the Windows Client for Mac, which is a remote desktop function allowing users to connect to Windows-based workstations on a Mac. According to Redmond, the fix addresses two privately reported vulnerabilities in Microsoft's Remote Desktop Connection to Mac client side users.

Critical fix No. 3 is for Windows Internet Name Service (WINS), addressing two previously disclosed holes. Microsoft says either of the two vulnerabilities could allow remote code execution when a user receives a "specially crafted" WINS replication packet on an infected system or opens a corrupt Web page. The fix touches on Windows Server 2000 and Windows Server 2003.

Windows Media files are at the center of the fourth critical patch, which affects all supported Windows OS versions. It involves corrupt Audio Video Interleave (AVI) files, which if opened on an infected system could give a hacker complete control over a workstation and, by extension, the processing environment itself.

The fifth and final critical patch pertains to the Windows Active Template Library (ATL), and has been much anticipated. Other vulnerabilities involving ATL were patched in late July as part of an off-cycle bulletin release. Tuesday's fix affects Outlook Express and Windows Media Player on every supported Windows OS version. DHMTL Editing Components and MSWebDVD ActiveX controls are also covered by this patch.

"This month had the potential to be the month of ATL bug fixes," said Andrew Storms, director of security at nCircle. "But it has turned out to be more of a smorgasbord. These updates are going to require lots of IT resources for testing and deployment."

Important Patches
Microsoft is addressing remote procedure call exploits, a common patch concern, with important fix No. 1, which has elevation-of-privilege considerations. Left unpatched, hackers may be able to use this vulnerability to promote their user status, or that of their automated proxies, to super-user status on a given system. This is an across-the-board Windows system patch as XP, Vista and Windows Server 2003 and 2008 are all scheduled to get this patch.

The second important bulletin is another elevation-of-privilege patch -- this time for Windows Message Queuing Service. It affects every Windows OS except for Windows Server 2008 and fixes a vulnerability that exploits the way e-mail and server operation messages are ordered to be received.

The third important item will deal with Redmond's .NET Framework for Vista and Windows Server 2008. It is designed to fix a denial-of-service vulnerability, which can be exploited when using Microsoft's Internet Information Services 7.0. Moreover, the exploit only works when ASP.NET is configured to use "integrated mode on affected versions" of Windows operating systems. Either way, if this vulnerability is left unpatched on such systems, administrators and Web developers could get locked out of programs.

The last important item on the slate deals with an RCE exploit in Microsoft's Telnet program, which is used for remote system administration and configuration. The patch will affect all supported Windows operating systems.

The August security update will keep IT pros busy. Only the .NET Framework patch will not require a restart, according to Microsoft.

IT pros interested in nonsecurity updates, via Windows Update, Microsoft Update and Windows Server Update Services, can check out this knowledgebase article for the particulars.

In the meantime, this formidable mix of server- and client-side issues should keep everyone busy, said Eric Schultze, chief technology officer of Shavlik Technologies, who added that server-side fixes will "keep network administrators up at night."

"I always encourage patching the server-side issues as soon as possible," he said. "Maybe [for enterprises] it's best to form two teams and patch server-side and client-side issues simultaneously."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.