Microsoft Releases Patch To Fix ActiveX, Media File Flaws And More

Microsoft has released nine patches to fix 19 security vulnerabilities affecting multiple Windows systems. The patches would address multiple critical ActiveX and Windows Media File loop holes that could invite hackers malicious attacks. The patches were know to be affecting multiple Windows systems including XP, Server 2003, Vista and Server 2008. The nine patches five repaired errors were deemed critical. This indicates the remote attackers could launch malacious code on victims PC without any intervention.

Security experts that the August patch load was distinguished by the wide variety of patches that address everything from ActiveX flaws and Office Web Components vulnerabilities to Web Server and Workstation bugs.

Briefs on patches

Office Web Component

One of the most significant patches this month’s patch batch is a zero-day flaw in Office Web Component that addresses an array of security holes in ActiveX. This was Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server and Microsoft BizTalk Server. If the flaw is not patched it would allow the hackers to download malicious code on user’s PC by enticing them to view a malicious Web pages. In a security advisory released this july, Microsoft had warned the users that hackers had already exploited the flaws.

Windows Media File
The security flaw repairing also includes critical fixes to Windows Media File Processing that affected Windows XP, Vista, Server 2003 and Server 2008. Hackers exploited the flaw to take control of a users PC by enticing them to open a malacious AVI file through some engineering scheme. This vulnerability has particular relevance due to widespread media file streaming and sharing.

According to Jonathan Bitle, technical director for Qualys

It allows (hackers) to exploit a host and take control of it,

He adds

With all the media-sharing sites out there, whether it’s MySpace or YouTube, just about anyone can be affected.

Window Internet Name Service

Two critical flaws in Window Internet Name Service (WINS) were checked by another patch. The flaws allowed the hackers to gain control over a remote server by sending infected WINS replication packets, which gives undesired access to password on domain controllers and infrastructure machines.

Remote Desktop Connection

The critical patches also included a fix for users running Remote Desktop Connection that allowed remote code execution for users running Remote Desktop Connection Client for Mac and plugs for holes in Microsoft Active Template Library.

ASP.NET

In addition to its critical patches Microsoft released three patches with slightly sever ranking of importance like a patch fixing an error in ASP.NET in Windows that could allow the hackers to launch a denial-of-service attack when Internet Information Services 7 is installed. Attackers could launch DDDOS attacks by sending copious malicious HTTP requests. This ultimately leads to system shutdown after flooding the web server with massive traffic that it cannot handle.

Schultze warns that the flaw can have a drastic impact to business that runs things via Web server. The hackers might crash the  your IIS7 Web server. All they have to do is send some packets.

To apply the security patches users can run the Microsoft Automatic Updates or by manually installing Microsoft Updates. Security experts recommend that users may apply the patches immediately to reduce risk of attacks.