19 security vulnerabilities fixed in Windows components and applications
Nine updates from Microsoft fix a total of 19 security vulnerabilities in various Windows components and applications. These include the critical vulnerability in an ActiveX control in Microsoft Office Web Components that has been known for about four weeks. Update MS09-043 eliminates three other holes in that control at the same time. Update MS09-044 to Remote Desktop Connection prevents an RDP server and a manipulated web site injecting malicious code into the RDP client and running it.
Installing update MS09-038 limits the extent to which attackers can exploit two vulnerabilities while crafted AVI files are being processed under Windows. Microsoft says these bugs can be provoked independently of Windows Media Player.
Although the problems with the Active Template Library (ATL) and the associated ineffectiveness of kill bits for ActiveX controls were dealt with two weeks ago with an emergency patch, Microsoft has now added a belt to their braces for security's sake by issuing update MS09-037. This eliminates five other vulnerabilities in the ATL, so it ought to make a whole raft of applications based on it more secure. Microsoft lists 13 ActiveX controls in Windows XP alone that enable remote code execution.
Another two critical errors in WINS could be exploited to compromise a Windows system, and these are fixed by update MS09-039. By default, WINS is only installed on Windows 2000 (SP4) and Server 2003 (SP2), and other systems are vulnerable only if users have subsequently installed the WINS service.
Update MS09-036 for ASP.NET fixes a vulnerability that can cause applications running on Internet Information Services (IIS) 7.0 to cease responding. That, says Microsoft, could be done by sending crafted HTTP requests to the server, although the server continues to supply normal HTML files. This attack only works on servers hosting ASP 2.0 on IIS 7.0 in integrated mode.
Windows Workstation Service and the Message Queuing Service (MSMQ) get one update each (MS09-041, MS09-040) to fix bugs that enable users to elevate their privileges on a system. With MS09-042, Microsoft has also fixed a vulnerability in the Telnet service in connection with authentication by means of NTLM.
A crafted server could send received login data back to the victim in order to get access to their PC. For that to work, ports 139 and 445 on the victim's PC have to be accessible, which is the case if Shared Resources is enabled on the LAN and the firewall doesn't block the ports. Microsoft fixed a similar problem (SMB Reflection Attacks) in November 2008.
Further details about the vulnerabilities in WINS, the ATLs and ASP.NET are given in the Microsoft Security Research & Defense blog. Microsoft's Security Response Center blog gives a graphical overview of a "severity and exploitability index". The ASP.NET vulnerability is the only vulnerability that Microsoft considers unlikely to be exploited.