MS Patch Tuesday: 9 bulletins, 6 rated critical

Summary:Microsoft today released six bulletins with fixes for at least nine documented security vulnerabilities in a range of products that put users at risk of malicious hacker attacks.At least two of the vulnerabilities are currently being attacked in the wild so it's imperative that Windows users and administrators treat these patches with the highest possible priority.

Microsoft today released six bulletins with fixes for at least nine documented security vulnerabilities in a range of products that put users at risk of malicious hacker attacks.

At least two of the vulnerabilities are currently being attacked in the wild so it's imperative that Windows users and administrators treat these patches with the highest possible priority.

Of the six bulletins in the July batch of patches, three are rated "critical," Microsoft's highest severity rating.

[ SEE: Dangerous Microsoft DirectX vulnerability under attack ]

They are:

  • MS09-029: This covers two privately reported vulnerabilities in the Microsoft Windows component, Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution.   Rated rated "critical" for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
  • MS09-028:  This update fixes three separate vulnerabiliteis (one publicly disclosed and under attack!) in Microsoft DirectShow. The vulnerabilities could allow remote code execution if a user opened a specially crafted QuickTime media file.
  • MS09-032: This security update resolves a privately reported vulnerability in Microsoft Video ActiveX Control. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer that uses the ActiveX control.  This vulnerability is currently being exploited in the wild!  Rated "critical"for all supported editions of Windows XP and "moderate" for all supported editions of Windows Server 2003.

Three other bulletins were issued to cover a solitary bug (rated "important") in Microsoft Virtual PC and Microsoft Virtual Server; a privilege escalation issue in Microsoft Internet Security and Acceleration (ISA) Server 2006; and a remote code execution hole in Microsoft Office Publisher.

It's important to keep in mind that another ActiveX control vulnerability has been confirmed by Microsoft but is not yet patched.  This is also being exploited in the wild.

Microsoft has shipped a Fix it tool to assist users in mitigating the risks associated with this vulnerability.

Topics: Microsoft, Operating Systems, Security, Software, Windows

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.