MS Patch Tuesday: 9 bulletins, 6 rated critical

MS Patch Tuesday: 9 bulletins, 6 rated critical

Summary: Microsoft today released six bulletins with fixes for at least nine documented security vulnerabilities in a range of products that put users at risk of malicious hacker attacks.At least two of the vulnerabilities are currently being attacked in the wild so it's imperative that Windows users and administrators treat these patches with the highest possible priority.


Microsoft today released six bulletins with fixes for at least nine documented security vulnerabilities in a range of products that put users at risk of malicious hacker attacks.

At least two of the vulnerabilities are currently being attacked in the wild so it's imperative that Windows users and administrators treat these patches with the highest possible priority.

Of the six bulletins in the July batch of patches, three are rated "critical," Microsoft's highest severity rating.

[ SEE: Dangerous Microsoft DirectX vulnerability under attack ]

They are:

  • MS09-029: This covers two privately reported vulnerabilities in the Microsoft Windows component, Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution.   Rated rated "critical" for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
  • MS09-028:  This update fixes three separate vulnerabiliteis (one publicly disclosed and under attack!) in Microsoft DirectShow. The vulnerabilities could allow remote code execution if a user opened a specially crafted QuickTime media file.
  • MS09-032: This security update resolves a privately reported vulnerability in Microsoft Video ActiveX Control. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer that uses the ActiveX control.  This vulnerability is currently being exploited in the wild!  Rated "critical"for all supported editions of Windows XP and "moderate" for all supported editions of Windows Server 2003.

Three other bulletins were issued to cover a solitary bug (rated "important") in Microsoft Virtual PC and Microsoft Virtual Server; a privilege escalation issue in Microsoft Internet Security and Acceleration (ISA) Server 2006; and a remote code execution hole in Microsoft Office Publisher.

It's important to keep in mind that another ActiveX control vulnerability has been confirmed by Microsoft but is not yet patched.  This is also being exploited in the wild.

Microsoft has shipped a Fix it tool to assist users in mitigating the risks associated with this vulnerability.

Topics: Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Chalk up another win for Vista.

    All the vulnerabilities affecting the desktop OS are mitigated through standard user rights and Protected Mode.
    • what about netbooks?

      So people who are running XP on their shiny, new netbooks are out of luck? MS just says "sorry we needed to defeat linux with the all-familiar XP you wanted so badly, and sales trumps security"

      • Not at all.

        Standard User rights can apply in XP as well. It's just not the default.
        • that is for sure

          I have tried many times to set up a user to have non-admin on XP and use run-as, they hated it.

          The same folks complain about Vista's UAC. It is a lose-lose situation with these types of users (tempted to say "the average user"...)
          • Well, here's your solution for XP. No more security issues......

            Your users won't "hate" DropMyRights, which allows them to define which programs with Automatically run with reduced rights. YOu define which apps and you are done. The rest is transparent.
            So we don't have to hear about how hard it is to run as a standard user any longer.

          • good solution

            That looks promising, except for users who absolutely have to install things on their own

            install-me-shiny-new-app.exe - it's just too tempting... akin to the red button that says "do not push" there is always someone who does "because it is there" :)
          • better...

            I have a better solution: upgrade to Linux.
          • @ scorch

            Yes, because we all know that when it comes to stupid users breaking things putting them into a Linux environment makes perfect sense. While I like *Nix its not the answer to anything, its a niche OS, always will be, cry all you like the majority of people *don't*like it, when it's offered side by side to XP it loses every time. Why? Because people do not want to bother learning a complicated OS that isn't user friendly and has people like yourself acting like its going to save the world.
          • Excellent idea, scorchgeek

            Although based on the immediate response you got above, some people are incapable of thinking outside their own little Micro$oft world...
            Wintel BSOD
          • Thats odd...

            You must not have properly educated the people you set up that way. I set my parents up (before I moved them over to Fedora core 11 actually) with 2 accounts, a "General User" and a 'Power user' account. By default they were logged on with the General User, which was an XP limited user account. I never heard a peep out of them like I did all the time before regarding spyware, popups, computer slowdowns, etc. If they needed to install an app - they logged onto the Power user and installed it, then went back to the regular user. I also was able to hit this box with LogMeIn free so I was able to remotely manage them at anytime.

            The users complaining about UAC is because they dont understand what its doing. Honestly they probably dont even care, but its integral for the security of the desktop. Mac OS and Linux do the same, albiet they require you to supply the password. Windows can be set up to require the administrative or user password for elevation, but MS left that off by default for the sake of simplicity. Maybe you should take a moment to talk to the users and explain why UAC is neccessary - I did and everyone I explained it to is happy.
          • Stupid is as stupid does

            I have users that understand security measures (and I thank the stars for them) and are able to run xp / vista without probs - some even willing to try linux as their main os

            And there are those who I see about once every 6 to 8 months for a full "format C:" and reinstall because they were infected something through web / email / filesharing - and no amount of preaching / teaching does any good.

            It's just the way it is man, as much as I would like to shun the ignorant user - I just can't in good faith... as long as they bring some beer along w/ their PC I am willing to work on it :)
          • True...

            Stupid users keep us employed :)
          • Re; Stupid is as stupid does . .

            Both doolittle and JT seems to be right here.

            I try the same from time to time (educate users as I am fixing their PC).

            Alas, it does work only on some. The others keep coming back.

            It is like: They do the same ting again and again and STILL expect a different result.

            At least it add my my income; if it is a friend it adds a tiny bit to my income but improves my beer supply (along with some pleasent company; they are still fine friends and O.K. in other fields than PCs).
      • You say that like it is a bad thing.

        XP is used because it is inexpensive (effectively
        obsolete but still used) and Vista may require
        more power than some of these netbooks have
        available. Besides, not everyone cares about
        security if the cost is low enough.
        • a step backwards

          MS needs to roll out a "lite" windows 7 for netbooks - not keep a legacy OS on life support.

          then again, I do know a few folks who have 500mhz laptops and still run win98, and call it their "netbook" :)
          • Windows 7 IS lite

            I'm running the RC as a default OS on mine :)
            The one and only, Cylon Centurion
          • Let's hope they get it right

            ... and not force the "starter edition" on the low-end netbook users (at least "home premium" is a minimum of "what people want")

            Curious about the pricing model for W7 netbooks and how they relate to the various versions

            The bottom line are going to be the "average user" expectation of a netbook (regardless of what OS is running), and weather or not they will return it in favor of a full desktop replacement (because it is "what they want" - lol
          • Then they dont understand the point of a netbook..

            which goes back to educating your user. People are picking up netbooks w/o research because they are "cheap". Its the OEM/Sales guy fault admittedly but also on the consumer for buying something not suited to their needs. if you need to get online, read email, and do some light work - hey a netbook is fine - anything else? Get a real laptop that CAN run Vista or 7 Home premium.

            I bought my netbook with Ubuntu from Dell and actually it was great - I just dont like Ubuntu so I switched to Fedora, but the OS is irrelevant when doing actual netbook tasks.
          • Re; "average user" expectation of a netbook . .

            Yes. As both doolittle and JT seems to agree on: Too many netbook buyers do not know what they are buying.

            There is a reason there have been more returns on netbooks than other types of computing devices.

            The returns seem to be the same on Linux and Windows ( disregard the MSI insult !), which quite clearly indicates that the expectations are higher than netbooks can deliver.
          • Windows 7 won't run on my Netbook...

            My 1.5 year old Asus Eee PC has a 4GB SSD. Since Win7 wants:!
            -1 GHz processor (32- or 64-bit) [got it!]
            -1 GB of RAM (32-bit); [got it!] 2 GB of RAM (64-bit) [64 bit on a netbook is just silly]
            -16 GB of available disk space (32-bit); [bleep! I guess Linux has to stay. At least I have 3.2GB of free space left for my open office documents...] 20 GB of available disk space (64-bit) [N/A]