August 2009 Security Bulletin

  • Article

This is a quick overview on TechNet EDGE of the security bulletins released by the Microsoft Security Response Center (MSRC) in August 2009. This month, we released nine security bulletins. Five of those are rated Critical and four have an aggregate severity rating of Important. Of the nine updates, eight affect Windows and the last one affects Office Web Components (OWC). It is also important to note that five of the six critical updates also have an Exploitability Index rating of “1” which means that we could expect there to be consistent, reliable code in the wild seeking to exploit one or more of these vulnerabilities within the first 30 days from release.

Please see the bulletin below

Get Microsoft Silverlight

Of particular note in this release is MS09-037 which is an update for Microsoft Active Template Library (ATL). Among the five updates in this bulletin is a binary level update for the Microsoft Video ActiveX Control. As you may recall, we originally released Security Advisory 972890 on July 6 in response to an active attack against this component and subsequently released Security Bulletin MS09-032 to supply an official kill bit update (rather than the temporary Microsoft Fix it supplied with the advisory). All of the included vulnerabilities were privately reported, have a critical severity and are rated “1” on our exploitability index. We encourage you to deploy this update as soon as possible. We will be updating Security Advisory 973882 to include a reference to this bulletin as it relates to ATL.

Another of the updates I would like to draw your attention to is MS09-043, which addresses the Office Web Components vulnerability discussed in Security Advisory 973472. We strongly encourage customers to review and deploy this bulletin if applicable given that we have seen exploitation in the wild. Even though this update addresses an ActiveX control issue, it is unrelated to the ATL issue we discuss in Security Advisory 973882.

If you are running a WINS server on either Windows 2000 or Windows Server 2003 then I would also call your attention to MS09-039 as this one has the potential for an un-authenticated, self-replicating attack across the network. Installing the update will protect your systems should any attacks be developed to exploit the vulnerabilities addressed in this update but at this time, we are not aware of any exploit code in the wild.