Triple-critical Microsoft Patch Tuesday ahead

Stephen Withers
Friday, 10 July 2009 05:36

Business IT - Security

Subsequent investigation revealed that multiple interfaces to the affected control were similarly vulnerable, and that these interfaces had already been disabled in Internet Explorer as part of the security work on Vista.

But just because Microsoft hasn't used 45 of these interfaces, that didn't mean disabling them wouldn't adversely affect third-party applications - more research and testing was needed.

Fortunately, by the time of the large-scale attacks Microsoft was sufficiently confident to recommend the kill-bit fix as a fill-in until the real update could be released as part of the following Patch Tuesday.

The company has also revealed that this month's patches will include a fix for the vulnerability in DirectShow that allows a maliciously crafted QuickTime file to trigger remote code execution.

This issue affects Windows 2000, XP, and Server 2003, but not Vista or Server 2008. Microsoft warned customers of this problem in late May.

As with the vulnerability affecting the ActiveX object described above, Microsoft provided a temporary fix for the issue.

Details of the third Windows issue have yet to be revealed, so it is most likely not being exploited to any significant extent. The update will apparently apply to all currently supported versions of Windows.

The other three problems set to be overcome by the July updates are all rated as important.

There's a remote code execution vulnerability concerning Publisher 2007, and privilege escalation issues in Internet Security and Acceleration Server 2006, and in Virtual PC 2004 and 2007 plus Virtual Server 2005.