In association with heise online

14 October 2009, 11:37

Microsoft Patch Tuesday - 34 security vulnerabilities addressed

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Barely a single Microsoft system has been left out in this October's patch day. The company has released 13 update packages which fix a total of 34 security vulnerabilities. There's something for every supported version of Windows, from Windows 2000 to Windows 7 including server versions, Internet Explorer 5.01 to 8, Media Player and its runtime components, Office XP, 2003 and 2007, the .NET runtime environment 1.0 to 2.0, SQL Server 2000 and 2005, Visual Studio 2003, 2005 and 2008, Visual FoxPro, Report Viewer 2005 and 2008, Forefront and Silverlight 2 (including Macs). The majority of the updates are classified as critical and fix security problems which allow remote injection of malicious code, thereby enabling attackers to gain control of vulnerable systems.

Microsoft has also, for the first time, released updates for Windows 7, which in many places is already in productive use. Comparing against the advance notices for the October patch day, there are no surprises. In particular, the hotly awaited patch for the critical vulnerability in the SMB2 implementation of the Windows network protocol is now finally available. Functioning exploits for this vulnerability have been circulating online for several weeks. The long-known FTP vulnerabilities are also now confined to the dustbin of history.

The cumulative update for all versions of Internet Explorer fixes three security vulnerabilities which allow remote injection of malicious code. Microsoft has also now set the kill bit for the vulnerable ATL-COM ActiveX control.

There are two "important" patches for the CryptoAPI for all Windows versions. By using null characters or crafted ASN.1 strings, attackers have been able to feed fake SSL certificates to the encryption library - also used in many Windows programs - allowing them to view or modify secure network data. A spoof certificate for relating to this problem has recently been published.

The Malicious Software Removal Tool has also undergone its monthly update and now detects additional malware. In view of the sheer number of patches and of components affected, the advice must be to install the patches as soon as possible using Microsoft or Windows Update. A detailed list of individual vulnerabilities and the components affected can be found in Microsoft's patch day summary and individual bulletins.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit