Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Fixes 9 Flaws in Monthly Patch Release



 By: Brian Prince
2009-07-14
Article Rating:starstarstarstarstar / 3


There are 1 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Microsoft patches nine vulnerabilities for Patch Tuesday July 14. Among them are two critical security flaws that have come under attack by hackers.

Microsoft released six security bulletins for Patch Tuesday on July 14, including fixes for vulnerabilities affecting DirectShow and the Video ActiveX Control that have been targeted by attackers.

The bulletins address a total of nine vulnerabilities. Three of the bulletinsthe ones affecting DirectShow and the Video ActiveX Control and a third addressing issues in the Embedded OpenType Font Engineare rated critical and deal with flaws with the highest possible rating on Microsoft's exploitability index, meaning consistent exploit code is likely.

There are three vulnerabilities in DirectShow addressed this month, with the one under attack residing in the QuickTime Movie Parser Filter. An attacker could exploit the vulnerability by tricking a user into opening a specially crafted QuickTime file or receiving specially crafted streaming content from a Website or application. The other two bugs are pointer and size validation vulnerabilities.

Resource Library:

Information about workarounds is available here in the Microsoft advisory.  

The Video ActiveX bulletin fixes a single remote code execution issue in the ActiveX Control msvidctl.dll that Microsoft warns attackers are exploiting through drive-by downloads. 

The final critical bulletin, MS09-029, covers two flaws in the Windows EOT (Embedded OpenType) Font Engine that allow remote code execution. The bulletin is rated "critical" for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. 

"Today's release is important because patches were released for two recent zero-day attacksa QuickTime file parsing vulnerability and the recently announced DirectShow vulnerability," Eric Schultze, CTO of Shavlik Technologies, said in a statement. "Both vulnerabilities are reported as being actively exploited on the Internet [We recommend] that network administrators download and install the patches for these two bulletins as soon as possible."

The remaining bulletins, rated "important," affect Microsoft Office Publisher, Microsoft ISA Server, and both Virtual PC and Virtual Server.  

No fix was released for a flaw in Microsoft Office Web Components that the company warned July 13 had come under attack. McAfee Avert Labs reported finding new attacks that exploit the vulnerability involving Web sites booby-trapped with malicious code. The compromised PCs become part of a botnet, explained Dave Marcus, director of security research and communications for the lab. 

As a workaround, Microsoft recommends users prevent Office Web Components from running in Internet Explorer. Instructions for how to do that are available here.





  Reader Comments: Microsoft Fixes Nine Flaws in Monthly Patch Release
>>> Post your comment now!
AppGuard & EdgeGuard Users Can Take their Time Implementing Patches
We generally recommend implementing software updates. Afterall, even though you're protected from exploits on vulnerable applications and other...
Posted At: 07-16-09
By: Eirik Iverson
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Brian Prince
 


x}ks8q8cH)ٖcm,k)fV(8H.I?q /=hɏLdƶD /4{$ G7L{B:1(ٟ9#ޙ'w>{(ɑԫQ]}nw2'v=7v@\}@^cFwD%x_'Щ=ѩ€wɔiPلި/3}B}F7\3egb^Q$Ё_ ¢%yCGu)pC(DsXqDǎH;*C'x8ӽi/DeO؀IQIM"x<&j>wn=ݣw2 X]~j4Lߵ!Zpj9:TN`UFfnڭaㅰH A=c9p<vt#wJ3q򿹓' ڪ8NQp/F:t,#E#rdБԣzr(˺79hen6 u{RM*QR,הb~/^ߛiLTe9z㯽 j:U0> n0tp;܀RrLE}ruuqN6nxvy/ȯ0wND_*QI- Y|/LZ@GS::Y'v{jwjzQҏZN-ԊhGZAAr,f3}3+i*5$v*?ZZu"uuX&ZhCA+t19zqsvz|qӾOZ=$/#t6+?f'_ZUկ7#?o!af;dP{pHj&H ?vO_Zd[W/'$'MDO0o-Yn]H.MT|Y|ěy#0ri4(.ߦAfw[ atBjmҔ )B:%ϹyWϝ5>Hr Ca)#8?S%Wi8@r1)6K .&7R<?o dz!CCZ9nVȨUSA%EI7CD r2#~B(PHQ>z%Kus7p#Kg񇰻fe՜YWa o\zcOgfu.~z8^%glh|X.B2iK1.PWG5MGRŦcWJPX=*‹JMU~ _1q-~~j0B m]& :V}< |0F;}F_{g0PӐ?: M/6G˥qnhj>'ݨä p;p|g͇v9s a {>0sF}j`I l"v|scм`y&nAܙ@[3衟#]ӽ:?A2/?>fxsO>{0g`sDowiC1QB\jÐx?k1 Tt=JIA }At"BђF 4  gscX"C"' [AX;k ab .u@G҅3qjP*kR1eb -x[b~ILg2+Iɴh4Z*ȉ#m"09X -gZ X%ּ fiZ\OG4MhȄ%Gn]ռs2H`wrPCb;*S::ޟx=~ h? OzuG  +ZsξS : jAkdfD ی3$!UT:E)'>E5  dh*O|Nx@̍ Ez . ڀ H }"T0|*UT `nR@@kRUԓ.ZE^~~ V%$mtX6H =:{BQ7ߏ90gxWyd.>3IR-ʪZJ: _ >玾2Fu*ZWּ}ZP^LjB:dHtݣk;J%Sf1Nō'ZAaC|ٜm!zUqʀWIe& 24N;_NNVͯ6> s7}&-nfu½ϼt#pb9s#OP͕GX Qljq7v@Aū}#}2e+7atE?Oi_2< Fd&T~!\yy؜AYo^a+o>5=1۠~V d WB&c=ܕOa*r6_>M=;L4;S0\]>w"qfD dkŎ| ۬rO$ O-v4X+m8 dE]]|f#'<,q$6 cr0>EpXH;}'c> P5ĺqK))r,*H+ů 3ˁ#_.qDz[TUe@5yģT3#y $6-.wEЋѶ7Gj&l|l&\#2OB(KYM,aTJp9҃ NAQW9K=XT\SGzN<ݠ1pS JM1H>rS-BdrQT4 J7 \vO 9MLt  B LKBb;?mͥ57gXN@B59( !wI#̸y0×!wg O@lB=.bIw :.v¼u[ XLh;ɲCXvIW4cV*J7ѭj՚*NӪV$,< ?>d',j+LGI4^&.2O%WW< qѿOŏ{_7ЍF_IΝrQӊ 5`JR'0 阆cu ( rA-GY`Q.|aR)*`?%ʠK= j ;! 8`& Mx)mK Rٟ:sɖBzI(Ԉ xϰLty' eVqc?s~~<ڝ?NeB&{fB, '8oHzq!O'^y{{<=m_~;l᳋Y?R`f{r+~p:K%E7;"˖u ߽<rD.5/.Y"GB9h5S|OM1&05h"sF#w҃amH!u,5' ^t%V}Xm!q6(FGVAΈvY?{xXL7mb9n4/kҼ?1L[_ |1$?[0;#|&~>xFM{@uS意g 9r~nmԕa6FKp?OKoҽ{g;᧥}es7tS/*Y$DH!Hn e_"2gNIJn/:K9z `< ,fJfzӼ2iAxn>7 <}tK7bR8A?!}|} ~ ]=PI=w뻿~=Ғ(r_&ZD Npw5Q{qI9.t}?,s`\TzH^8Xڃ}uUL&mquOxhL Z;whor:? G Ofx՛3\QIqp~n ֘@lll4RbhLy]9٢pr[m0\9f>m` \8Vc"OlY ގb;ˌ.-j:*bcbp C4[;b%-xDdId+w$e%!-̝m rD ̴B|YL+ć6&6cH \Ep :@\\g&/u-<&l|XpQYZRS%z=1Qmޚ\MDD4AX$l+h31ɾ6Bl=/'zTZ&@: L).2.w"h;kIㆩ_::,$>2k6I)bCf-]Pv@I=mKk^10zQZ9&P|JefN)DzǢ%'a k`}@X 7c8עWE*y3^މT˒H%p7ŹUSwXptRg! Ke_l)Qp%<>,~{1UtXe@o9?/ei|Q{E6K|Yꁔ'p3]H_c/`$2򂢭UZ0Q+6Z/Ys0#xCD;䘥|#z/ڒN_-]4/'s3"䘱Ju H aHg36ň`5{&B$<ƮolI!/^W`/ XL.umڿw=n z*Hux] {O8غdPz)Av(p=q#]`KU`aa! pmD \2R@"H1;x)hi3]νE J"8 44ҖTbϩXOt >mU,x5 ijs޼%B,7PP> r$;4zL x1P[i9$v䕛RojD.^e>GX(6^R {w<_R ji)$ 8K'8~aga鵑j<&oIw&բվmfOKjcktKkQ l龳س`͆Y S$!aSd#3Hʞqa7v}Os=#EH6[|ULD 4BAl?hێmͯl=a*7=ka}d gzo6x.fOɁئ3׽[tÞLoCT.I-vy/uc6s`"#\~'|xDÛCx Y r"< T 2%̵\9nӂ9Y7IU4AаLQg=U |4 k;>S61 jp_T>6ԭFc0Lx={8\co_O[4Vhp>™8JA+sa\0k=?WW"K2u\ݲ þ%⛽N2ŗ@9rO|k vsTDz L1mB(1C-`F)$;1eLHj~ж}A˽=V4? mY[`cXE0m-mYޣ3玮${U2ZZJLnV95|0zl^Bif#e։ V(3Tag5skxR([0GL7zfb>8\AO=cЃ%:?w}LLUjΝco(jB5?}j闶UȱG}ӟ]˼ eMZNܓatXz )Zap]?rEc3c6sl":?Gxn0|n;*0a8{7~y@(_To\kE_A--Ŵhgϡ?7,%\vҐtrC(u8xJ?A뽰 0.$o,SP0G4;UST4kL]o0q_n]^LǔvTǏ{ѭ9's:^я{:駠TCn3Aoh@MutxGw7]mē{ͮqOb2 k)G>?F5N:^o? D*X\= !kjb`!O4#|IAwy4,~D?S9E=1K>0V8E$ ;,96i~4>(CZPBZ’M=Iqs1ꚚrM&o @` ~RDZC@ O^a)qc) kpx΃L,t$l  /(_7`;LV \sj61^R>&sjx)VQjz~zr_ZJӂ,w)]do=?5֘0HtL'fITnp=jh DڤHdm^P)ÿ#rzww!_ՔV-!.ÈD(gN9XyeZ{#qȋGF^*iByKi 4K ey;,G J6_KO~G|b>>-^awv鮦ǚ4ht3!mty_:rkh!; m HXrҙ H Wkn3R)59Xa CyF}gzW'X^sjF.F{aȰ䤼6n'Yqۏo[ͳ.04&n'StAu[M@&td|G,%_ۄFFV#lEiBós..jrh%6xl+SC@#  Ĉ[ bU&wܠ~z*ڟOPe^fs B =Jl~G#hM,Ë|U:Qg|%w[RG7-Ϣ[vo¨`*“MA9(WTD~LJ/tX0/b=3-#޼>xAfaX4B&s'?7^\v CRY `Oi$~b Ƀ2vFf.BT0 7!`NV#C}A.[7VߺU Ci|Q^HZzx,&U6g>a:$.+JAWd̃  [z.p5:bh c>r*?Er6Б`5A1H3@D~;n>^_R<Ȉe1 `8*gj5T KL 2@: xE?=׽nrj&[ lx D$2mDRPactkȚ3uѱ۾blUo%P`qT|8snj=J< |AWH,D:t]\P"@J>S|??'­!P)awS0Zpn X`,2E<Cez?,GGA~2u:b@Pn 0YK7`C'[E9Y|ob{` ?ve.usx\jJO@$!Ѕ8i,)@"!9͉k#m u;5G@p),f,TՊR &uUu]j)q_]x YV^"_nӄ\I M ?$-G쌆xɺGxUO=lF(To`9ͫ/{M"OǽUݽ$ǭ Z¶-r5uwOt/[W~qfI+v>L5m^kLide(A.Sr?XԞpi.$ "Gcɂw]%;飱</^tۋ'a_<)Qe;̋ QW~0@L7OO[֖Syƫ#x]j12;ZxʝouR\js@1@C|k]N{5Bx_m^9^dBP~ (By7)pp(?g |OPisy;8oo.oӌr_;i_fC5>2ʿ@"~˘1dv2t2Ӂw2dg賓Aȣ 3ϡ~3eeϠ??}}ʠP99c|3w7Y@7{dwAI]'Izʛ|ּ…)qFy)8ΠRE৬rXB]eנVD=VbMxG,E<mc sbžȾ>s-h-(s#h60 .Ñp[{?|k2Fs?`fEi~@' @8Dw9MAw0[`\xP[ԙqqޢD)Fy5b3}e\7FAmzO4`/{hgd鋠YP͙Ȫ)N(P7Ejn2h s)螡zȧ N 7\zќ8&3 P7#:ɹT.jZQo\)Uʹ俒kD2L(8 "2< ̈ɪ"+UW9 طV++R0X\^9Q(Fuo*%K0nhy=q̐ga1Vo1BDO"׏щF]WeL+,e ȢȗᄽIگ!ā` f@2b/`{8z5(;_?0}ײmF6.eа!,sv[`\';=s2gjy }by0\9+hw L~ֶ@c d߻C!O)gQ Lwztt7 \˦=w7np*}r 1)ɝ֠}=fO45~î\< ţ:aс(Yc{XnDhG_;-(5kxG.$wb9sC@y=y plKA#Bl8s^ !0sw|0N4W[l,)1{;KH.N W`8O 챧0,JUO ؠ+.Ġ/>''4WB):3Up6 id:,Nd=:vMhq刃_ r:'쭰F |m'm_1SSFӾ"=ǚ X? >%v f\gHa)x܃ARNMaMgY{6Dπn fyy] ,pd+v/Qq1^R[aʹD.vÚVA7J-{X|@ă|xk0Wp\eC[gI2D~kF=&*P=Em- e'.ir}7{ /ݤd/+2b%Q>HYUҎ_Oׁ. ?`ɑX)un'|oW|F,[Kl`vB`09խ`*sˠv3푀*عiUhHm;:d2֭0kc'pg!MX|wVulם@ dd9a7[ԘP1$(+nOvGD g>6'كl4pM@!(Dْ0->@/7Ak~ r@c]T]&\fTj_fѮRTnlPP`Olԙz"0lB eȱ(lyJ6͜GċOgW<2ZP'jdVw(̝-ӟ~H׶Q5¶`:Vڕ*zYD1e~}=3Ӳg(q2,@zPތpPэk+Wei$ցi>ΈRnãōGHǸ׭[ [ qy6` <Щ1D\bvE9b6M ѨpSTؕElds^kgycE]Y>;Ѝ ϰ1ngNb *φŀ𞭟{̾16 ^f+1ݱOR6Ȥ{ ePCik=Z+ 0DqS XǢVWqTR:!; /D?8 ciL ;acXJ ,oԛN*)Asa#Dl ;ApN--8LgѼ8"ZU9w,Cɽk xٚջU$bC=Ay,O>A@`V\3|f7tZ.Mhc{pfif#3S3 {τ ixv4<5@TF_E@G7dyUĄfٵ\RJnrmmkJ >dS1C'@j0\|H d9[\O^مu&3k9/YH~>  \99.@$NSP_Xџ],?I*g\`dv=̭q;f¦[HHdžIkckjn*