RealTime IT News

'Patch Tuesday' Will Fix ActiveX Zero-Day

Microsoft gave users notice on Thursday that it will release a total of six bug patches on Tuesday.

As it has for several years, Microsoft releases its latest cache of bug fixes on the second Tuesday of each month -- thus it's termed "Patch Tuesday." This month that's Tuesday, July 14.

After a record load of bug fixes last month, this month's patch drop will be smaller, covering only three patches rated "critical and three rated "important" -- the top two rankings on Microsoft's (NASDAQ: MSFT) four-tier severity scale.

The company typically provides users -- particularly corporate IT -- with a notification of what's to come the week before the monthly patch drop. That gives them time to prepare to roll the patches out to users in a timely manner.

Though it contains far fewer fixes as June's drop, this set of patches will be just as essential because it includes a fix for a zero-day vulnerability that has already wreaked havoc on thousands of servers and clients in China. Microsoft sent out a Security Advisory containing a workaround for the hole on Monday.

That bug primarily affects Windows XP systems, the most installed version of Windows on the planet, as well as Windows Server 2003. The hole that crackers have been exploiting is located in a part of Windows that handles video.

Microsoft said it began working in earnest on a patch for the hole as soon as attacks began spreading like wildfire -- particularly in Asia.

That's good news for users this month. Often, in cases where a new zero-day is discovered, Microsoft takes two Patch Tuesday cycles to get a patch written, tested and released. Still, the emergence of a new zero-day is concerning, according to one security firm.

"The ability of malicious hackers to independently discover and quickly weaponize vulnerabilities for website drive-by attacks has been highlighted once again," Tas Giakouminakis, CTO of Rapid7, said in an e-mail to InternetNews.com.

Also among the critical updates is another involving Windows graphics handling. Microsoft typically provides only bare bones information for upcoming bug fixes in its pre-drop notifications -- enough to enable users to plan but not enough to give crackers extra time to come out with attack code. It provides much more data when it actually rolls the patches out.

The three patches labeled as important include fixes for problems with Publisher 2007, as well as Microsoft Internet Security and Acceleration Server, and Virtual PC and Virtual Server. Microsoft's advance notice for July is located here.