Microsoft patches nine vulnerabilities for Patch Tuesday July 14. Among them are two critical security flaws that have come under attack by hackers.
Microsoft released six security bulletins for Patch Tuesday on July 14,
including fixes for vulnerabilities affecting DirectShow and the Video ActiveX
Control that have been targeted by attackers.
The bulletins address a total of nine vulnerabilities. Three of the
bulletins-the ones affecting DirectShow and the Video ActiveX Control and a
third addressing issues in the Embedded OpenType Font Engine-are rated critical
and deal with flaws with the highest possible rating on Microsoft's
exploitability index, meaning consistent exploit code is likely.
There are three vulnerabilities in DirectShow addressed this month, with the
one under attack residing in the QuickTime Movie Parser Filter. An attacker
could exploit the vulnerability by tricking a user into opening a specially crafted
QuickTime file or receiving specially crafted streaming content from a Website
or application. The other two bugs are pointer and size validation
Information about workarounds is available here in the Microsoft
Video ActiveX bulletin fixes a single remote code execution issue in the
ActiveX Control msvidctl.dll that Microsoft warns attackers are exploiting
through drive-by downloads.
The final critical bulletin, MS09-029,
covers two flaws in the Windows EOT (Embedded OpenType) Font Engine that allow remote
code execution. The bulletin is rated "critical" for Microsoft
Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server
"Today's release is important because patches were released for two
recent zero-day attacks-a QuickTime file parsing vulnerability and the recently
announced DirectShow vulnerability," Eric Schultze, CTO
of Shavlik Technologies, said in a statement. "Both vulnerabilities are
reported as being actively exploited on the Internet ... [We recommend] that network
administrators download and install the patches for these two bulletins as soon
The remaining bulletins, rated "important," affect Microsoft
ISA Server, and both
Virtual PC and Virtual Server.
No fix was released for a flaw
in Microsoft Office Web Components that the company warned July 13 had come
under attack. McAfee Avert Labs reported finding new attacks that exploit the
vulnerability involving Web sites booby-trapped with malicious code. The
compromised PCs become part of a botnet, explained Dave Marcus, director of
security research and communications for the lab.
As a workaround, Microsoft recommends users prevent
Office Web Components from running in Internet Explorer. Instructions for how
to do that are available here.