Redmond (WA) – Microsoft is to patch three ActiveX vulnerabilities rated ‘critical’ next Tuesday (July 14).
Six patches will be available on Windows update from 1000 am PDT including three critical updates affecting Windows, one important update for Publisher, one important update to Internet Security and Acceleration (ISA) Server and one important update affecting Virtual PC and Virtual Server.
The critical patches include the issue discussed in Security Advisory 971778 concerning a vulnerability in DirectShow. Microsoft says it is aware of ‘limited active attacks’ that have allowed remote code execution after users opened specially crafted QuickTime files. Windows 2000 Service Pack 4, Windows XP, and Windows Server 2003 are vulnerable, but all versions of Windows Vista and Windows Server 2008 are safe, says the company.
Security Advisory 972890 warns of another vulnerability in the video ActiveX control which is addressed in the patch. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
Again, Microsoft says it is aware of a number of attacks attempting to exploit the vulnerability. In the meantime, Microsoft ‘encourages customers to continue to enable the workaround by running the ‘Microsoft Fix it’ solution published last week, which involves removing support for this ActiveX Control from Internet Explorer.
Most of the updates will require a restart, and more details will be available here next week, adds Microsoft.