Six patches on Microsoft's July patch day
As planned, Microsoft has released six security packages for the July patch day, including one to fix the vulnerability in DirectShow which is already being actively exploited. Three of the update bundles are classed as "critical". As well as DirectShow (part of DirectX), these affect the Video ActiveX control and the Windows Embedded OpenType Font Engine. The company rates the updates for Virtual PC and Server, Office 2007 and ISA Server 2006 as "important". Microsoft expects exploits to appear for all of the vulnerabilities. The updates for the font engine, Virtual PC and Server and ISA Server require a system restart.
The DirectShow update (MS09-028) patches DirectX 7.0 and 8.1 for Windows 2000 and 9.0 for Windows 2000, XP and Server 2003. DirectX 10 for Vista and Server 2008 is not affected. The update includes a total of three patches. One fixes the publicly known DirectShow vulnerability, while the other two relate to vulnerabilities well-concealed from the public. The bugs can be triggered when processing QuickTime media data and can be used to execute arbitrary malicious code with the user's privileges when surfing the web. The update renders the previous quick fix superfluous.
Two patches (MS09-029) have been deemed necessary for the Embedded OpenType Font Engine (EOT), a Windows system component. These also prevent the execution of malicious code. EOT fonts are a special embedded font format for web sites and emails. Of currently supported Windows versions, only Server 2008 Core installations are immune.
After installing the July patch, Office users need no longer exercise caution when opening Publisher files – under certain circumstances these could previously be used to inject arbitrary malicious code. The vulnerable version of Microsoft Office Publisher was present in Microsoft Office System 2007 with or without Service Pack 1 only. Users with older versions of Office or who had already installed Service Pack 2 for Office System 2007 are in the clear.
The patch for Microsoft Internet Security and Acceleration (ISA) Server 2006 stops unauthorised users from being able to access arbitrary resource where Microsoft's security gateway is configured for Radius OTP authentication (MS09-031). An attacker could exploit this to gain complete control over systems which rely on a vulnerable ISA Server 2006's web publishing rules for authentication.
The Video ActiveX control under Windows XP and Server 2003 contains a security vulnerability which can be used to inject malicious code when Internet Explorer is used to visit a crafted web page (MS09-032). The patch resolves this problem by setting the kill bit for the affected control. Microsoft is also recommending that users with Windows 2000, Vista and Server 2008 (with the exception of Core installations, which are not affected) install the update in order to avoid future security problems with the Video ActiveX control.
The updates for Microsoft's virtualisation solution fix vulnerabilities in Virtual PC 2004 and 2007 and Virtual Server 2005 (MS09-033). Virtual PC for the Mac is not affected. Users who do not install the patch should expect malware running on their systems to succeed in obtaining system privileges.
The patches can, as ever, be downloaded using the Windows Update service. Since attack software is likely to appear very soon and most of the vulnerabilities can be exploited via web surfing, Windows users should install the patches as soon as possible.
- Microsoft Security Bulletin Summary for July 2009, overview from Microsoft.