Microsoft repaired critical zero-day flaws affecting the video streaming technology in Windows, but left vulnerable a newly discovered hole in Office Web Components being actively targeted by hackers.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
The software giant issued six updates this week as part of its Patch Tuesday updates, which fall on the second Tuesday of each month. Microsoft rated three of the updates critical and three important addressing both client and server side vulnerabilities throughout its products.
Two critical bulletins addressed three zero-day vulnerabilities in the Microsoft DirectShow video streaming software identified in May as well as a recently reported Video Controller ActiveX control flaw. The vulnerabilties were being actively targeted in ongoing attacks. A third critical bulletin addressed two vulnerabilities in the Microsoft Embedded OpenType Font Engine.
MS09-032 addresses the Microsoft Video ActiveX Control zero-day, acknowledged in a security advisory issued last week. The exploit code for the flaw was released July 11 on a China-based vulnerability website. It is remotely exploitable with little user interaction.
Recent Microsoft updates:
May - Microsoft updates Office to address serious PowerPoint vulnerabilities: One of the PowerPoint zero-day flaws was being actively targeted by attackers.
April - Microsoft patches serious Excel zero-day, Windows flaws: Microsoft is patching flaws in Excel and WordPad that are reportedly being actively exploited in the wild and could allow an attacker to gain access to sensitive data.
March - Microsoft patches critical Windows kernel flaw: A critical flaw in the Windows graphics rendering component could be exploited by an attacker to gain access to sensitive data and take control of a machine.
The flaw is located in ActiveX Control msvidctl.dll which is used by Windows Media Center to build filter graphs for recording and playing television video. The ActiveX Control is used in Internet Explorer, allowing attackers to exploit the flaw via the browser. The update affects users of Microsoft Windows 2003 and Windows XP.
The flaw was discovered by Ryan Smith and Alex Wheeler with IBM ISS X-Force in 2008. Security experts were critical of Microsoft for taking more than a year to address the flaw. Microsoft said it took time to issue an update since a number of interfaces were affected by the ActiveX Control. But some security experts say the software giant needs to act faster.
"I don't see a good technical reason or a good customer impact reason for taking over 12 months to address these issues particularly when they're addressing them with killbits," said Josh Abraham, a security researcher at vulnerability management vendor Rapid7. "Microsoft seems to be blurring the lines between things like ActiveX, the browser and the operating system overall and really trying to explain to the world that when you're responsible for an operating system of this magnitude that it's very complex to make these kinds of fixes without impacting end users."
ActiveX, developed in 1996, is used to perform functions independent of Windows. Microsoft issued an advisory on Monday on another ActiveX vulnerability affecting Office Web Components. ActiveX is so widely used that it's unlikely that it will ever be phased out, but companies that remove administrative rights from end users can dramatically reduce the attack surface of ActiveX vulnerabilities, said Eric Voskuil, chief technology officer of BeyondTrust. Microsoft has also tried to prevent ActiveX exploits by deploying protected mode in Internet Explorer and improving security functions in Windows Vista.
"The bad code can do whatever the user can do," Voskuil said. "In most corporate environments the end users themselves are as much of a threat as the bad code."
Also being addressed by Microsoft is three DirectShow flaws, which has been actively targeted by attackers since May. The three DirectX flaws in the MS09-028 addresses an issue in the DirectShow media-streaming architecture for Windows, affects the QuickTime parser in DirectShow. Attackers have been using malicious QuickTime files to exploit the flaw in limited attacks, according to Microsoft. User interaction is required for these flaws, Microsoft said. The update affects Microsoft Windows 2000, Windows XP and Windows Server 2003.
MS09-029 is a critical bulletin that addresses two vulnerabilities in the Embedded OpenType Font Engine that could be exploited remotely by an attacker by injecting malicious code within the font to take complete control of a system. Errors exist in the way the font engine parses name tables and data records in both Office documents and Web content, according to Microsoft. The vulnerabilities are primarily client side, but servers are affected. Most controlled environments shouldn't have people logging onto the server to process Web content or Office documents.
Security researchers should deploy the patch repairing the vulnerabilities as soon as possible, Abraham said. Researchers are not currently seeing exploitation in the wild against this vulnerability. "That's just due to the fact that people haven't had the time to turn this into a usable exploit," he said.
The final client side bulletin MS09-030 is rated important and addresses a vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a malicious Publisher file. The vulnerability affects Microsoft Office 2000, 2003, XP and 2007. An error exists in the way Publisher opens, imports and converts files created in versions older than Microsoft Office Publisher 2007, Microsoft said.
Two server side bulletins were released. MS09-031 addresses a vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006. The vulnerability only affects ISA Server 2006 when it is configured for Radius One Time Password. MS09-033 addresses an error in Microsoft Virtual PC and Microsoft Virtual Server. Microsoft said Virtual PC and Virtual Server incorrectly validate privilege levels when executing specific instructions in the Virtual Machine Monitor.