Patch Tuesday brings critical Windows updates - and more

Stephen Withers
Wednesday, 15 July 2009 06:40

Business IT - Security

Microsoft has patched nine vulnerabilities in Windows, Office, Virtual PC and Virtual Server.

As expected, Microsoft released six security bulletins on July's Patch Tuesday. A total of nine vulnerabilities have been addressed.

Three of the bulletins - all rated as critical as they allow remote code execution - apply to various versions of Windows.

The well-publicised DirectShow vulnerabilities are addresses for Windows 2000, XP and Server 2003. Vista and Server 2008 are not affected.

The issue allows maliciously crafted QuickTime movie files to trigger the execution of remote code with the same privileges as the current user. Apple's QuickTime software is not involved and need not be installed for the flaw to be exploited.

Exploits for at least one of the DirectShow vulnerabilities are in the wild.

A pair of vulnerabilities in the Embedded OpenType (EOT) Font Engine affect all currently supported versions of Windows other than Server 2008 server core installations.

EOT files can be used by Internet Explorer and Microsoft Office, among other applications.

Microsoft warns that exploits could allow complete control of a system, including the creation of new accounts with full rights.

The third bulletin concerns another issue that is being actively exploited. An update for Windows XP and Server 2003 sets a kill bit to prevent the exploitation of a vulnerability in the Microsoft Video ActiveX Control. Although Vista and Server 2008 are not affected by the vulnerability, Microsoft recommends the update for those systems as a "defense-in-depth measure".

The update is cumulative - that is, it includes previously released ActiveX kill bits.

(This leaves a more recent ActiveX issue for a subsequent Patch Tuesday unless Microsoft decides to rush out an out-of-cycle update.)

Please read on for information about the Office and Virtual PC/Virtual Server issues - and more.