Although August is the month of vacations, it’s certainly not the case for Microsoft which today announced 9 total patches as part of their monthly Patch Tuesday release cycle for August 2009. There are 5 critical patches that can all be exploited remotely and 4 important ones that require direct access to the system for exploitation. This release covers a variety of products with Windows as the main focus.
Highlights of the 5 critical patches covered in this release are:
- MS09-37: This is an MS Active template library patch that covers 5 vulnerabilities. It supersedes MS09-034 where a temporary fix was made available as a work around. This is a true patch and it covers a lot of Microsoft software on all versions of Windows including Outlook, MS media players, ActiveX and many others.
- MS09-038: Windows Media file processing patch where a malicious AVI can be posted on any media site for exploitation. All that’s needed to be exploited is to click on a malicious link on a file-sharing site like MySpace or others. The malicious link can then take complete control of the user’s computer.
- MS09-039: This is a patch for WINS and while critical WINS is not installed by default so it is likely not that relevant for most users. However, if WINS is enabled on a Windows system, someone can send a malicious packet to the running service and take control of user’s machine.
- MS09-043: This is an Office patch for 4 vulnerabilities including one Zero-day. Office is very prevalent and this vulnerability is fairly simple to exploit. All that’s needed is to convince someone to view a malicious web page. There is already a Zero-day detection for it in the QualysGuard Knowledgebase (QID 110101) to address CVE-2009-1136.
- MS09-044: This is a patch to address a Remote Desktop vulnerability that is critical, but it requires the user to connect to a malicious server using Remote Desktop. Remote Desktop is typically used by an advanced user or system administrator.
Although this is a big release, there are no surprises in it as it addresses an outstanding public Zero-day vulnerability and it includes an official patch for the out-of-band patch released in July for MS09-034. As always users are urged to review these critical patches carefully against their environment and apply them as soon as possible. QualysGuard users are advised to scan systems in their environment to identify affected Windows machines and patch them accordingly.