Last month, Microsoft warned users of attacks exploiting the ActiveX control that displays Excel spreadsheets in IE, but the company was unable to patch it in time to meet the July update schedule. Security experts had predicted that Microsoft would fix the flaw today.
Users should patch the OWC bugs immediately, Abraham argued. "Anything, like this, that's been turned into a Metasploit module and weaponized should be patched as soon as possible," he said, talking about the popular penetration testing framework that both hackers and legitimate security researchers rely on for developing exploits.
Sheldon Malm, Rapid7's senior director of security strategy, urged Windows users to look beyond MS09-037 and MS09-043, the two updates he thought would get the most media attention today. He, as well as Schultze, singled out two other bulletins -- MS09-039 and MS09-042 -- that patched the Windows Internet Name Service (WINS) and Telnet components, respectively. "On the other end of the spectrum you've got WINS and Telnet," said Malm, who predicted that their updates would be largely ignored, at least initially.
Abraham also called out MS09-044, a two-patch update for Remote Desktop Connection, software used by both client and server versions of Windows, as well as by some Mac users, to access applications and data on a remote system over a network.
Any other month, said Abraham and Malm, that update would likely rise to the top of the to-do list. "But it's flying under the radar because of the media hype about ATL and OWC," said Malm.
All four security experts also put the spotlight on MS09-038, which patches two vulnerabilities in Windows' handling of the popular AVI media file format.
"This is a classic example of a media file format bug that once you view a malicious video, you get owned," Storms said, adding that they may be ripe for worm exploitation. "All the potential is there," he said.
"Exploits of this will use a unique attack vector," agreed Abraham, who said it was notable because attacks could be based on malicious video clips. "That's a departure from the standard, and speaks volumes about how rich media has become crucial to the Internet." Attackers could exploit the media format flaws by duping users into visiting Web sites that host rigged video.
"We're going to feel the 19 [vulnerabilities] this month," Storms said. "Because of the disparate systems that need to be patched and the wide variety of software that must be tested, everyone will be feeling the pain this month."
"Microsoft's dumping a huge chunk on people today," Malm agreed.
The August updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.