Patch Tuesday Fixes Serious Holes, Leaves Another Open

14.07.2009
Microsoft today fixed a serious, under-attack flaw in a video ActiveX control, along with other critical flaws involving QuickTime files and fonts. But a critical zero-day hole in another ActiveX control remains unpatched.

The most important fix in fixes a hole disclosed eight days ago in the . The flaw, which has been under active attack, is rated critical for Windows XP and moderate for Windows 2003. The patch disables the unused (for legitimate purposes) control to stymie potential attacks, but doesn't actually fix the underlying flaw.

Note: As of 2pm, Microsoft has not yet posted the individual bulletin links (for MS09-032, etc.). Until it does those links will only bring you to the TechNet home page.

A second fix closes another under-attack hole involving the way Microsoft DirectShow processes QuickTime content. The MS09-028 patch closes three security bugs, , that can be triggered upon opening or even just previewing a poisoned QuickTime file. Windows XP, 2000 and Server 2003 are all affected, whether or not Apple's QuickTime is installed on the vulnerable PC. See the for more info.

Two critical vulnerabilities in the Microsoft Embedded OpenType Font Engine get closed with the third patch, . While neither flaw is listed as under active attack, both get a dangerous "Consistent exploit code likely" rating in Microsoft's Exploitability Index. Windows 2000, XP, Server 2003, Vista and Server 2008 are all at risk.

Three other patches close holes rated important, rather than critical. A patch for Office 2007 closes a hole in Microsoft Office Publisher that could be attacked upon opening a malicious Publisher file (see ). Two others for Virtual PC and Virtual Server (), and for the Microsoft Internet Security and Acceleration Server 2006 (), close privilege escalation security flaws and are likely of most concern for IT types.