Alert

Microsoft Updates for Multiple Vulnerabilities

Last Revised
Alert Code
TA09-223A

Systems Affected

  • Microsoft Windows and Windows Server
  • Microsoft Office
  • Remote Desktop Connection Client for Mac 2.0

Overview

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Windows Server, Office Web Components and Remote Desktop Connection for Mac.

Microsoft has released multiple security bulletins for critical vulnerabilities in Windows, Windows Server, Office Web Components, and Remote Desktop Connection for Mac. These bulletins are described in the Microsoft Security Bulletin Summary for August 2009.

Microsoft Security Bulletin MS09-037 includes updates for Microsoft components to address vulnerabilities in the Active Template Library (ATL). Vulnerabilities present in the ATL can cause vulnerabilities in the resulting ActiveX controls and COM components. Any ActiveX control or COM component that was created with a vulnerable version of the ATL may be vulnerable, including ones distributed by third-party developers. 

Developers should update the ATL as described in the previously released Microsoft Security Bulletin MS09-035 in order to stop creating vulnerable controls. To address vulnerabilities in existing controls, recompile the controls using the updated ATL. Further discussion about the ATL vulnerabilities can be found in the Microsoft Security Advisory 973882.

Impact

An attacker may be able to execute arbitrary code, in some cases without user interaction.

Solution

Apply updates from Microsoft

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for August 2009. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).

 

References

Revisions

August 11, 2009: Initial release

This product is provided subject to this Notification and this Privacy & Use policy.