Microsoft Delivers 9 Patches, Leaves One Hole Open

Microsoft Tuesday delivered six security updates that patched nine vulnerabilities. The patches fix two bugs now being used by hackers but leave one still open to exploit.

Of the six bulletins, three patched some part of Windows, while the remainder plugged holes in Publisher, Internet Security and Acceleration Server (ISA), and Microsoft’s virtualization software. Six of the nine bugs were ranked critical, Microsoft’s highest ranking in its four-step score, while three were tagged as “important,” the next-lowest label.

“We got what we expected,” said Andrew Storms, director of security operations at nCircle Network Security. “We got the ‘kill bit’ we were looking for in the ActiveX control, and the DirectShow fix,” he said, referring to two recent vulnerabilities that attackers have been exploiting for weeks.

In May, Microsoft acknowledged ongoing attacks exploiting a bug in DirectShow, one of the components in Windows’ DirectX graphics platform. Last week, it owned up to a bug in a video streaming ActiveX control used by Internet Explorer (IE), which it had known about — but not fixed — for the past 18 months.

Last Thursday, Microsoft had gone into unusual detail to describe the upcoming patches, and promised that both the DirectShow and ActiveX bugs would be patched.

Microsoft also delivered patches today for two critical vulnerabilities in a Windows’ font engine, and one important bug each in Publisher 2007, ISA 2006, and the client and server editions of its virtualization software.

“MS09-029 and MS09-030 are bucking the trend,” said Storms, talking about two of the six bulletins released today. “Typically, Microsoft’s newer software is more secure, but that’s not the case here.”

The fix for the Embedded OpenType (EOT) Engine in MS09-029 is rated critical in all versions of Windows, including Vista and Server 2008, which if not immune from many attacks, are often less threatened by exploits because of additional security measures baked into those operating systems. And the Publisher patch in MS09-030 fixes a file format flaw in the newest 2007 edition.

“The fact that we got them both in the same month is probably just a coincidence,” said Storms, “but it doesn’t surprise me that researchers are looking at the newer software, because it’s the newer software that’s being deployed.”

Missing from today’s batch was a patch or automated “kill bit” solution for another ActiveX control vulnerability that Microsoft disclosed only yesterday. Web attacks exploiting that bug are rapidly increasing, but Microsoft said Monday that it wouldn’t be able to wrap up a fix in time for today.

July’s updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.