Microsoft on Tuesday released nine patches, five of them critical, to plug holes in Windows and other software products.
The nine patches relate to 19 separate vulnerabilities in Windows, the .NET Framework, Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server and Remote Desktop Client for Mac.
Among the issues addressed is one Microsoft warned about last month — a vulnerability related to the Office Web Components that help users put spreadsheets, charts and other documents onto the web.
At the time, Microsoft said it was already seeing attacks based on the flaw, which affects Office XP, Office 2003, Internet Security and Acceleration Server 2004 and 2006, as well as Office Small Business Accounting 2006.
More information on that issue and the others addressed with this month's patches is available in Microsoft's August security bulletin.
Microsoft had announced last week that the patches were coming.
Symantec senior research manager Ben Greenbaum noted that many of the vulnerabilities this month related to so-called ActiveX controls, and added that many of the holes could be exploited just by getting a user to visit a web page that has malicious code.
"All of the ActiveX issues patched this month could be easily exploited and can impact even the average computer user," Greenbaum said in an email. "For example, any user who has Microsoft Office on their machine could be vulnerable to the Microsoft Office Web Components vulnerabilities. Similarly, every user with Windows XP SP3 or Vista could also be susceptible to one of the Remote Desktop Connection issues."
Not all versions of Office are affected, as the web components issue does not affect the latest version: Office 2007. For a list of Office programs affected, see Microsoft security bulletin MS09-043.
In any case, McAfee and Lumension both noted that it continues to be a long, hard summer for IT professionals who have had to deal with a large number of regular patches, as well as some unscheduled ones, from Microsoft and others.
"There's no break from patching this summer," McAfee Avert Labs's Dave Marcus said in a statement. "Microsoft is playing catch-up with these patches as cybercriminals have already used some of the serious vulnerabilities to commandeer vulnerable Windows computers."
Lumension analyst Paul Henry said there had been some fear that the patches would go further, addressing some kernel-level issues, though he noted that the latest crop of patches will bring their fair share of headaches.
"After a summer of heavier-than-normal Patch Tuesdays, the last thing IT workers need is yet another large batch of patches from Microsoft," Henry said in a statement. "Unfortunately, that is exactly what we got today as Microsoft released a total of nine security updates, five of which are critical and seven of which require disruptive restarts."
