Microsoft patches 19 bugs in sweeping security update
Fixes software affected by its own development code bug, plugs holes already exploited
Computerworld - Microsoft today delivered nine security updates that patched 19 vulnerabilities in several crucial components of Windows, as well as in Windows Media Player, Outlook Express, IIS (Internet Information Server), Office and several other products.
Security researchers pegged Tuesday's batch as "all over the map" and a "smorgasbord" of updates.
Included in today's patches were five that plugged holes that Microsoft's own software inherited from a buggy code "library," dubbed ATL (Active Template Library), that the company and others rely on to create their programs.
"This is certainly a hodgepodge," said Andrew Storms, director of security operations at nCircle Network Security. "There's no real pattern this month. I'd call it a smorgasbord."
"It's a big pile of messy stuff," said Eric Schultze, chief technical officer at Shavlik Technologies. "Everything is impacted except for Internet Explorer."
Josh Abraham, a security researcher at Rapid7, agreed. "There are a ton of things all over the map here."
Five of the updates were pegged as "critical," the most serious ranking in Microsoft's four-step scoring system, while four were marked "important," the next rating down.
The big story today, agreed security experts, was MS09-037, the update that fixed five vulnerabilities in several Microsoft-made Windows components caused by bugs in ATL.
"This one is just awful," said Abraham, referring to the ATL update.
Schultze, who called the ATL fixes a "whole handful," also ranked MS09-037 at the top of today's list. "There are five individual patches for five individual controls, each used in different [Microsoft] software. It's good that Microsoft's patched this, but it's going to be really difficult for people to patch."
Storms, however, was surprised by the small number of ATL-related patches. "We expected a slew of ATL patches," he said, "although we only got five. But I expect that we'll see more and more ATL bugs from Microsoft in the next couple of months."
Schultze, who once worked at Microsoft, said he had been told by sources inside the company that with the exception of one still-open investigation, today's fixes patch all ATL-related vulnerabilities in software that ships as part of Windows. "They might have it licked," he said, but warned that Microsoft has yet to dig into other ActiveX controls it's crafted that don't ship "in the box," or come on the operating system's installation CD.
The ATL vulnerabilities were introduced when a Microsoft programmer added an extra "&" character to the widely-used library.
Two weeks ago, Microsoft rushed a pair of emergency updates to users that plugged multiple holes in IE and Visual Studio. Those vulnerabilities were traced to ATL.
- Major browsers fall during second day at Pwn2Own hacking contest
- Major companies, like Target, often fail to act on malware alerts
- Phishing campaign targets Google Docs, Drive users
- California police criticized for 'stingray' cellphone trackers
- NSA denies Facebook snooping; Zuckerberg lays into Obama
- Adobe patches a critical flaw in Shockwave Player
- The new security perimeter: Human Sensors
- Flaw gives backdoor access to some Samsung Galaxy devices
- FISA court reverses order to destroy NSA phone data
- Mt. Gox kept exchange open despite knowledge of large-scale theft
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts