At least two of the vulnerabilities are currently being attacked in the wild so it's imperative that Windows users and administrators treat these patches with the highest possible priority.
Of the six bulletins in the July batch of patches, three are rated "critical," Microsoft's highest severity rating.
- MS09-029: This covers two privately reported vulnerabilities in the Microsoft Windows component, Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution. Rated rated "critical" for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
- MS09-028: This update fixes three separate vulnerabiliteis (one publicly disclosed and under attack!) in Microsoft DirectShow. The vulnerabilities could allow remote code execution if a user opened a specially crafted QuickTime media file.
- MS09-032: This security update resolves a privately reported vulnerability in Microsoft Video ActiveX Control. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer that uses the ActiveX control. This vulnerability is currently being exploited in the wild! Rated "critical"for all supported editions of Windows XP and "moderate" for all supported editions of Windows Server 2003.
Three other bulletins were issued to cover a solitary bug (rated "important") in Microsoft Virtual PC and Microsoft Virtual Server; a privilege escalation issue in Microsoft Internet Security and Acceleration (ISA) Server 2006; and a remote code execution hole in Microsoft Office Publisher.
It's important to keep in mind that another ActiveX control vulnerability has been confirmed by Microsoft but is not yet patched. This is also being exploited in the wild.
Microsoft has shipped a Fix it tool to assist users in mitigating the risks associated with this vulnerability.