Microsoft promises to stymie hackers next week with new patches

Takes unusual step of confirming fixes for bugs currently under attack

Microsoft today said it would deliver six security updates next Tuesday, including two for holes that hackers have been using for months to attack Windows and Internet Explorer (IE).

Of the six updates previewed today in the advance notice, three will affect Windows, and one each will patch problems in Publisher, Internet Security and Acceleration Server (ISA) and Microsoft's Virtual PC and Virtual Server software. The Windows updates will be tagged "critical," Microsoft's highest threat ranking, while the others will be marked "important," the next rating down in the company's four-step scoring system.

The two aimed at a pair of zero-days -- vulnerabilities exploited before a patch is available -- are the top story, said Andrew Storms, director of security operations at nCircle Network Security. "What really trumps today are the [fixes for the] known bugs," said Storms, referring to one vulnerability in DirectX's DirectShow and another in an ActiveX control exploitable through IE6 and IE7.

"In fact, it's difficult to guess what we'll see in the other [four updates], but in the end it probably won't matter much," Storms said. "What we need are the mitigations for the DirectX and ActiveX bugs."

Microsoft made clear that two of the three critical Windows fixes next week will address vulnerabilities it has acknowledged in a pair of recent security advisories. In itself, that's very unusual; normally, the advance notifications and any accompanying commentary don't specify which bugs will be patched. "It is unusual," said Storms. "But I'm not entirely surprised, because of the way that Microsoft has been more communicative about security."

"We will be addressing the issue ... concerning a vulnerability in DirectShow," Jerry Bryant, a spokesman for the Microsoft Security Research Center (MSRC), said in a blog post today.

Bryant was referring to a late-May warning in which Microsoft acknowledged that on-going attacks were targeting a flaw in the QuickTime parser within DirectShow. Microsoft was not able to produce a patch in time to meet the regular June update schedule.

Also on Tuesday's books is a fix for the more recent ActiveX bug that hackers have been using since early June to hijack increasing numbers of Windows XP PCs. According to the researchers who discovered the bug, Microsoft has had details of the vulnerability for more than 12 months, and attacks have been conducted since at least June 9.

Earlier today, Mike Reavey, a director at MSRC, confirmed that Microsoft has known of the bug since the early spring of 2008, but denied that the company knew of in-the-wild attacks until last week. "We were made aware of the attacks only the day before we released the advisory," Reavey said.

The fix for the ActiveX vulnerability won't be a patch per se, said Reavey, but will instead be an automatic update that will set a large number of "kill bits" to disable the flawed control. The fix, then, will be the same as the manual workaround that Microsoft published Monday along with its advisory.

"This will block all known attacks," promised Reavey, who added that Microsoft will continue its work on a full-fledged patch, which will be released at some point in the future. He declined to say whether that patch would be delivered "out-of-cycle" -- outside the normal monthly update schedule -- when it is ready.

Knowing exactly what will be fixed is an added bonus for users, argued Storms, again pointing out how unusual it is for Microsoft to confirm patches in today's advance warning. "Knowing that that patch is coming out Tuesday, enterprises may halt their current efforts to deploy the workaround and just wait for the automatic update," he said.

"The rest of the updates are a smorgasbord, if you will," Storms said, when asked to describe the other four updates slated for delivery on Tuesday. "For the most part, it looks like we're back to the historical trend, where newer products have fewer risks."

But the big news is the fixes for the two zero-days, he repeated. "Everyone should be glad to see them," he said.

Microsoft will release the six updates at approximately 1 p.m. ET on July 14.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags MicrosoftInternet Explorer

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments



Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?