Microsoft released nine patches, repairing a total of 19 security vulnerabilities, in its Patch Tuesday security bulletin release, addressing multiple critical ActiveX and Windows Media File flaws that could pave the way for hackers to execute malicious attacks.
Altogether, the patches affect multiple Windows systems, including XP, Server 2003, Vista and Server 2008. Of the nine patches, five repaired errors were deemed critical, indicating that remote attackers could launch malicious code on victims' PC without any user intervention.
Security experts said that the August patch load was distinguished by the wide variety of patches that addressed everything from ActiveX flaws and Office Web Components vulnerabilities to Web server and Workstation bugs.
"We are all over the place. We cover everything but Internet Explorer," said Eric Schultze, chief technology officer at Shavlik Technologies. "There are a lot of bulletins and a lot of patches per bulletin."
One of the most significant patches in this month's patch batch fixed a zero-day flaw in Office Web components, addressing an array of security holes in ActiveX, affecting Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, and Microsoft BizTalk Server. If left unpatched, the flaw enables hackers to download malicious code on users' PCs by enticing them to view a malicious Web page. Microsoft released a security advisory in July, warning users that hackers had already exploited the flaw.
Another security flaw repaired by the bundle includes critical fixes to Windows Media File Processing, affecting Windows XP, Vista, Server 2003 and Server 2008, which enables hackers to take control of a user's PC by enticing them to open a malicious AVI file -- typically through some social engineering scheme. Security experts said that this vulnerability has particular relevance due to widespread media file streaming and sharing.
"It allows (hackers) to exploit a host and take control of it," said Jonathan Bitle, technical director for Qualys. "With all the media-sharing sites out there, whether it's MySpace or YouTube, just about anyone can be affected."
Another significant patch repaired two critical flaws that occurred in the Window Internet Name Service (WINS). The flaws allow hackers to take remote control of a server by sending infected WINS replication packets, giving untold access to passwords on domain controllers and infrastructure machines, experts said.
"They may not be authenticated at all, but if they can shoot some packets at the WINS server, they can own that server," Schultze said.
Other critical patches released Tuesday include a fix for Remote Desktop Connection, which allows remote code execution for users running Remote Desktop Connection Client for Mac, as well as plugs for holes in Microsoft Active Template Library.
In addition to its critical patches, Microsoft released three patches with the slightly less severe ranking of "important," including a patch fixing an error in ASP.NET in Windows that could enable hackers to launch a denial-of-service attack when Internet Information Services 7 is installed. Attackers could launch DDOS attacks by sending copious malicious HTTP requests, ultimately resulting in a system shutdown after flooding the Web server with more traffic than it can handle.
Despite the "important" ranking, Schultze said that the flaw can have a drastic impact to businesses hosting Web servers if the flaw is actively exploited. "If you are a business that runs things via a Web server, attackers can crash your IIS7 Web server. All they have to do is send some packets," Shultze said. "For anyone who is responsible for managing an IIS7 Web server, this should be priority No. 1."
Users can apply the security patches by running Microsoft Automatic Updates or manually installing Microsoft Updates. Security experts recommend that users apply the patches immediately to reduce risk of attack.
