Triple-critical Microsoft Patch Tuesday ahead

Stephen Withers
Friday, 10 July 2009 04:36

Business IT - Security

Microsoft has told customers to expect three critical updates to Windows this month. One will fix a flaw that's being actively exploited, especially through Asian web sites.

Microsoft doesn't usually provide much detail about security patches until they are released, but this month is an exception.

The company is preparing to release three critical fixes for Windows this month (plus three for other software), and has already revealed the nature of two of them.

A vulnerability in the MPEG2TuneRequest ActiveX Control Object is reportedly being exploited via thousands of compromised web sites in China and other parts of Asia.

Microsoft has warned that "A browse-and-get-owned attack vector exists" for this flaw. Merely opening a web page containing an exploit will give the attacker control of the computer.

On Monday, Microsoft recommended kill-bitting the object as a way of protecting systems against these attacks, and provided an automatic means of doing so. (Kill-bits can be manually set by editing the Registry.)

Although some reports have suggested Microsoft has moved with unusual speed to include a full fix as part of July's security updates, that is misleading.

Microsoft itself has pointed out that the original report of this issue was made by IBM's X-Force in (northern) Spring 2008 - that's well over a year ago.

Please read on for more details of this and other vulnerabilities to be fixed next Tuesday.