Microsoft to Plug DirectShow, Video ActiveX Security Holes

Microsoft plans to swat two Windows bugs that have come under attack by hackers as part of the July 14 Patch Tuesday.

Among the collection of patches are fixes for the DirectX vulnerability that Microsoft first warned users about at the end of May. But also slated to be fixed is a vulnerability in the Video ActiveX Control that the company warned about July 6.

“I want to provide some clarity on two of the pending Windows updates mentioned,” blogged Jerry Bryant, a Microsoft Security Response Center team member. “First, we will be addressing the issue discussed in Security Advisory 971778 concerning a vulnerability in DirectShow … Second, our engineering teams have been working around the clock to produce an update for the issue discussed in Security Advisory 972890 (vulnerability in the Microsoft Video ActiveX Control) and we believe that they will be able to release an update of appropriate quality for broad distribution that protects against the attacks we detailed in the advisory and in an MSRC blog post by Christopher Budd.“

While customers wait, they can enable the workaround for the Video ActiveX flaw by following the instructions here. Information on mitigations for the DirectX vulnerability, which lies in the QuickTime parser in Microsoft DirectShow, can be found here in the workarounds section of the advisory. Microsoft DirectX is a Windows feature used for streaming media to enable graphics and sound when playing games or watching video. DirectShow works within DirectX to provide client-side audio and video sourcing, manipulation and rendering.

All told, there are six bulletins scheduled for next week’s Patch Tuesday. In addition to the aforementioned bugs is a third bulletin for Windows that is rated “critical.” There are also three updates rated “important” for ISA (Internet Security and Acceleration) Server, Virtual PC and Virtual Server, and Microsoft Office Publisher.