MS09-037 addresses five vulnerabilities in the Active Template Library (ATL), which, if exploited, could enable execution of remote code if a specially crafted ActiveX control is hosted on a malicious website.
"Microsoft evaluated all of their ActiveX controls that ship in the box and they found five of them that were built on the insecure template library," Eric Schultze, CTO of Shavlik Technologies, provider of patch management solutions, told SCMagazineUS.com on Tuesday.
The patch was related to an out-of-cycle fix on July 28 that corrected issues in developer tools suite Visual Studio, which leverages the ATL to build ActiveX controls, as well as Internet Explorer.
Tuesday's update also includes a patch for an ActiveX vulnerability -- unrelated to the ATL bulletin -- that is being exploited in the wild. MS09-043 corrects a buggy Spreadsheet ActiveX control in Office Web Components, in addition to three other holes. The issue affects a number of software versions, including Office XP and 2003 Service Pack 3 (SP3) and Internet Security and Acceleration Server 2004 SP3 and 2006.
"We strongly encourage customers to review and deploy this bulletin, if applicable, given that we have seen exploitation in the wild," said Jerry Bryant, a Microsoft security program manager, on the company's Security Response Center Blog.
Other fixes included MS09-038, which took care of two flaws in the way Windows Media files are processed. Attackers can infect users by tricking them into opening a malicious AVI file.
Also, the update Tuesday repaired two vulnerabilities in the WINS (Windows Internet Name Service) server on Windows 2000 or Server 2003. The flaws could be taken advantage of to launch an "unauthenticated, self-replicating attack across the network," Bryant said.
Jonathan Bitle, technical director at vulnerability management provider Qualys, said the patches should remind administrators to instruct end-users to practice safe computing and not click on untrusted links or files.
"Obviously, education is a key component of all of these [patches]," he told SCMagazineUS.com.
The update also included a non-security advisory, which announced a new feature called Extended Protection for Authentication, designed to bolster the vetting of network connections to Windows.