Problems with ActiveX controls prompt an out-of-cycle patch. Plus: Zero-day attacks on several Adobe apps, and an update to Firefox.Microsoft might have been feeling like the little Dutch boy over the last month, plugging holes with regular patches and with rare out-of-cycle fixes in an attempt to prevent attackers from pouring through.
The out-of-cycle patch, critical for all versions of Internet Explorer on 2000, XP, and Vista, addresses IE's handling of flawed ActiveX controls created with the Microsoft Active Template Library (ATL), a developers tool included with Visual Studio. At-risk PCs could be hit by a drive-by-download attack. This serious vulnerability affects many ActiveX controls. For example, Adobe confirmed on its security site that its Shockwave and Flash Player ActiveX controls "leverage vulnerable versions of ATL," and that it is working on a fix:
http://blogs.adobe.com/psirt/ The issue also affects IE on Windows Server 2003 and 2008, but is rated moderately severe on those OSs.
Zero-Day FixesMicrosoft's regular Patch Tuesday release closed plenty of other holes, including a zero-day flaw that had been under attack and involved an ActiveX control used by Microsoft Video:
http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx Though the patch disabled the control, which served no legitimate purpose, it didn't correct the underlying flaw. The fix, critical for Windows XP and moderate for Windows Server 2003, doesn't affect Windows 2000, Vista, or Server 2008.
A second fix stopped attacks on Microsoft DirectShow's processing of QuickTime content:
http://www.microsoft.com/technet/security/bulletin/MS09-028.mspx The attacks, which didn't depend on having Apple's QuickTime installed, could trigger if a victim opened or previewed a poisoned QuickTime file. DirectX 7, 8.1, and 9.0 on Windows 2000 need the fix, as does DirectX 9.0 on XP and Server 2003. Vista and Server 2008 get a pass.
Other critical fixes addressed holes in how all supported versions of Windows handle fonts in Web pages, e-mail, and Office docs. The flaws in the Embedded OpenType Font Engine had not been attacked prior to the patch release, but they are doozies:
http://www.microsoft.com/technet/security/bulletin/MS09-029.mspx A serious flaw in Microsoft Office Web Components involves an ActiveX issue that permits attacks on IE users:
http://www.microsoft.com/technet/security/Bulletin/MS09-043.mspx A wide range of Office components and versions need the fix; for the complete list of affected software, see the linked Microsoft page.
You can grab all the aforementioned fixes via Windows Update.
Adobe and Firefox PatchesMicrosoft wasn't the only one to suffer from a zero-day threat over the last month. Adobe, another popular target, issued fixes for Flash (on all platforms), as well as for Reader, Air, and Acrobat, after reports of attacks that used poisoned PDFs to exploit Flash flaws. To protect against these multipronged attacks, be sure to update all of your Adobe apps. Grab Flash version 10.0.32.18:
http://get.adobe.com/flashplayer and the latest Air at Adobe's site:
http://get.adobe.com/air For Reader, update to version 9.1.3 by opening the program and choosing Tools, Check for Updates. See Adobe's security bulletin for links to Acrobat updates for Mac and Windows, along with more details:
http://www.adobe.com/support/security/bulletins/apsb09-10.htmlTo wrap up your must-haves, Firefox users should upgrade to the latest available version to apply multiple fixes for various holes in versions 3 and 3.5, including a serious flaw in 3.5's handling of JavaScript, plus a problem affecting Firefox 3's use of SSL certificates to encrypt secure Web connections (3.5 was already safe from that flaw). Click Help, Check for Updates to confirm that you have the latest version. And if you're still on version 3, visit the Firefox site to download 3.5; it's a relatively painless upgrade:
http://getfirefox.com/(PCW)