Microsoft released six security bulletins for Patch Tuesday on July 14, including fixes for vulnerabilities affecting DirectShow and the Video ActiveX Control that have been targeted by attackers.
The bulletins address a total of nine vulnerabilities. Three of the bulletins-the ones affecting DirectShow and the Video ActiveX Control and a third addressing issues in the Embedded OpenType Font Engine-are rated critical and deal with flaws with the highest possible rating on Microsoft’s exploitability index, meaning consistent exploit code is likely.
There are three vulnerabilities in DirectShow addressed this month, with the one under attack residing in the QuickTime Movie Parser Filter. An attacker could exploit the vulnerability by tricking a user into opening a specially crafted QuickTime file or receiving specially crafted streaming content from a Website or application. The other two bugs are pointer and size validation vulnerabilities.
Information about workarounds is available here in the Microsoft advisory.
The Video ActiveX bulletin fixes a single remote code execution issue in the ActiveX Control msvidctl.dll that Microsoft warns attackers are exploiting through drive-by downloads.
The final critical bulletin, MS09-029, covers two flaws in the Windows EOT (Embedded OpenType) Font Engine that allow remote code execution. The bulletin is rated “critical” for Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.
“Today’s release is important because patches were released for two recent zero-day attacks-a QuickTime file parsing vulnerability and the recently announced DirectShow vulnerability,” Eric Schultze, CTO of Shavlik Technologies, said in a statement. “Both vulnerabilities are reported as being actively exploited on the Internet … [We recommend] that network administrators download and install the patches for these two bulletins as soon as possible.”
The remaining bulletins, rated “important,” affect Microsoft Office Publisher, Microsoft ISA Server, and both Virtual PC and Virtual Server.
No fix was released for a flaw in Microsoft Office Web Components that the company warned July 13 had come under attack. McAfee Avert Labs reported finding new attacks that exploit the vulnerability involving Web sites booby-trapped with malicious code. The compromised PCs become part of a botnet, explained Dave Marcus, director of security research and communications for the lab.
As a workaround, Microsoft recommends users prevent Office Web Components from running in Internet Explorer. Instructions for how to do that are available here.