Microsoft issued six patches that included fixes for three zero-day vulnerabilities on July 14 — this month’s “Patch Tuesday.” Two of those three — all designated as “critical” — are already being exploited on the Web.
One of the patches includes a fix for a serious zero-day
That bug is in Microsoft’s DirectShow software, a part of Windows’ DirectX display technology that handles streaming media. A successful attack would be as simple as playing back a booby-trapped QuickTime media file or clicking on a link in an infected e-mail that takes the user to a malicious site.
The patch (MS09-028) for that hole also includes fixes for two other critical DirectShow bugs that had not yet been exploited by crackers. Exploits for those two flaws would also involve tricking the user into opening a poisoned QuickTime file. At risk are Windows 2000 Service Pack 4(SP4), Windows XP SP2 and SP3, and Windows Server 2003 SP2.
Meanwhile, a second patch (MS09-032) addresses recent zero-day attacks that take advantage of a hole in an ActiveX video control running inside Internet Explorer. The patch works by editing the Windows registry to set “kill bits” that keep the control from being run in IE. All supported versions of Windows are affected, from Windows 2000 SP4 up through Vista and Windows Server 2008.
All that would be needed to trigger a drive-by attack would be to visit a malicious Web site or click on a deceptive link in an e-mail or instant message.
A third patch (MS09-029) fixes two other critical holes that also affect virtually every version of Windows from Windows 2000 SP4 up through XP and Vista, and even Windows Server 2008. There have been no known attacks that exploit these holes yet, however.
The patch blocks attacks through flaws in what are known as Embedded OpenType Fonts — a Web site technology that’s used to ensure that the text on the site looks the way the page designer intended.
Microsoft did not have time to include a patch for another zero-day vulnerability that cropped up on Monday, and was already being probed by hackers at that time.
The company has a patch in work and, in the meantime, recommends users adopt the workaround it published in a Security Advisory on Monday. Users can either manually edit the Windows registry, or take advantage of Microsoft’s Fix It For Me service.
For the patches, users who prefer not to have Microsoft automatically install bug patches via Automatic Update, individual Security Bulletins and the patches that accompany them can be found on Microsoft’s TechNet Security site.