Microsoft patches 9 bugs, leaves one open for hackers

Two zero-days and critical font bug quashed; no fix for Monday's ActiveX vulnerability

Microsoft today delivered six security updates that patch nine vulnerabilities, fixing two bugs already being used by hackers but leaving one still open to exploit.

Of the six bulletins, three patched some part of Windows, while the remainder plugged holes in Publisher, Internet Security and Acceleration Server (ISA) and Microsoft's virtualization software. Six of the nine bugs were ranked critical, Microsoft's highest ranking in its four-step score, while three were tagged as "important," the next-lowest label.

"We got what we expected," said Andrew Storms, director of security operations at nCircle Network Security. "We got the 'kill bit' we were looking for in the ActiveX control and the DirectShow fix," he said, referring to two recent vulnerabilities that attackers have been exploiting for weeks.

In May, Microsoft acknowledged that hackers had begun exploiting a bug in DirectShow, one of the components in Windows' DirectX graphics platform. Last week, it owned up to another bug, this one in a video streaming ActiveX control used by Internet Explorer (IE) -- and admitted it had known about, but not fixed, the flaw for the past 18 months.

Microsoft patched the already-public DirectShow flaw with MS09-028, and for good measure tucked in fixes for two more vulnerabilities also reported by researchers.

The "kill-bit" update in MS09-032 didn't actually patch the underlying ActiveX problem. Instead, Microsoft simply disabled the control, effectively shutting off any possible attack by modifying the Windows registry using the update. Microsoft offered the same protective measure via an automated tool last week, but that required users to manually browse to a support document, then download, install and run the tool.

Researchers unanimously voted those two updates as the ones to deploy immediately. "Microsoft did well to get out the two zero-days," said Eric Schultze, chief technical officer at Shavlik Technologies, "especially the ActiveX. It was a little much to ask them to get out the Office ActiveX fix, though."

Schultze was talking about a bug in an ActiveX control used by Office Web Components to display Excel spreadsheets in IE. Microsoft warned users of the vulnerability only yesterday. By today, Web attacks had rapidly increased. On Monday, however, Microsoft said that it wouldn't wrap up a fix in time for today's release.

Like the DirectShow ActiveX flaw that was patched today, Microsoft has released a "Fix It" tool that users can download and run themselves to kill the control. But, according to Schultze, Microsoft's not planning to push a kill-bit update to users for this second flaw. "Setting the kill bits actually impedes functionality," Schultze said. "Microsoft told me today that they're working on a file-level fix."

Other researchers speculated that Microsoft might depart from its usual once-per-month patch schedule to get such a fix out before Aug. 11, the next regularly-scheduled update. "Obviously, that would be much better," agreed Wolfgang Kandek, chief technology officer at security company Qualys.

The third critical update, MS09-029, also caught the eyes of Schultze and Kandek. Two vulnerabilities in Embedded OpenType (EOT) Engine leave all versions of Windows, including Vista and Server 2008, open to attack.

"It looks pretty easy to exploit," said Kandek. "If you view some text on a Web site in that font, you're compromised. And if the attack comes in an e-mail, there's no need to open an attachment, you can be compromised just by viewing the e-mail."

Schultze agreed. Calling the font vulnerabilities "nasty," he said that they could quickly be used up by hackers. "If there's exploit code available, which there isn't yet, these would be pretty easy to exploit," Schultze said.

Microsoft also delivered patches today for bugs in Publisher 2007, ISA 2006 and the client and server editions of its virtualization software. The ISA bug, described in MS09-031 intrigued both Kandek and Schultze, but not for the same reasons.

"You can gain full control of the server if you know the administrator password," said Kandek. "And in some situations, that password may be 'administrator' or 'admin' or even 'root'."

Shops with weak usernames may be at risk of information theft, added Amol Sarwate, the manager of Qualys' vulnerability research lab. "[Attackers] could install small malware and maybe sniff the Web traffic [through the server], access other systems on the same network or even redirect users to another Web site," Sarwate speculated.

Schultze dismissed those worries. "It looks like all the planets have to [be] aligned just right," he said, referring to the narrow scenario Microsoft spelled out. "I'd call that a real edge case."

The remaining two updates patched Publisher 2007 ( MS09-030) and Virtual PC and Virtual Server ( MS09-033). Neither drew much attention from Schultze, Kandek or Sarwate.

Storms, however, put a finger on the Publisher patch. "MS09-029 and MS09-030 are bucking the trend," said Storms, talking about the Publisher and OpenType bulletins. "Typically, Microsoft's newer software is more secure, but that's not the case here.

"The fact that we got them both in the same month is probably just a coincidence," Storms continued. "But it doesn't surprise me that researchers are looking at the newer software, because it's the newer software that's being deployed."

Schultze and Kandek noted that the OpenType vulnerabilities' appearance in all versions of Windows, up to and including the unfinished Windows 7, likely means Microsoft had overlooked the flaw for years. "It tells me that that particular component has received less attention," Kandek said, "and that Microsoft didn't change anything in the code from when it was first used in [Windows] 2000.

And the virtualization software bugs? Nothing much to worry about, said Schultze, since there's no chance that an attacker could escape the "guest" operating system to wreak havoc on the "host."

"But I think it's a sign of things to come," argued Kandek. "Virtualization adds to the attack surface rather than subtract."

July's updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftactivexsecurity patchbugs

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Show Comments





Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?