Microsoft distributes six patches for nine vulnerabilities
Three of the six fixes carry the grade of "critical," Microsoft's highest severity rating.
One of the three resolves vulnerabilities in DirectShow, which were being actively leveraged to launch attacks if users opened specially crafted QuickTime files.
Another of the critical bulletins handles a zero-day flaw in a Microsoft Video ActiveX control disclosed last week. The patch is actually a formalized version of the workaround already recommended by Microsoft, which involves applying the kill bits to the affected control.
"The flaw was already being exploited in Asia," said Ben Greenbaum, senior research manager at Symantec Security Response, in a statement. "There was potential for this to become a bigger problem for users if left unaddressed by Microsoft."
The final critical patch remediates flaws in the Embedded OpenType Font Engines that could be exploited just by getting a user to visit a malicious website, open an email or view an Office document.
"This impacts all operating systems," Eric Schultze, CTO of patch management firm Shavlik Technologies, told SCMagazineUS.com on Tuesday. "It probably involves a chunk of code that has been there for a long time and probably hasn't been reviewed. If the attacker builds some evil embedded fonts into their web page or Office document, and the browser or operating system tries to parse the fonts, malicious code could be executed."
Schultze added that although this was the first time he could recall such a vulnerability, he doubts it is something that will linger.
"Microsoft did a pretty good job of containing it," he said. "They got it all with this one patch. We're probably not going to see it again."
The update included three other bulletins, labeled "important." One addresses a vulnerability in Virtual PC and Virtual Server and another involves a bug in the Internet Security and Acceleration Server -- both of which could enable privilege escalation.
The third important patch fixes a flaw in Microsoft Publisher 2007 Service Pack (SP) 1 and could enable remote code execution. Other versions of Publisher, including SP2 for 2007, are not affected.
Not included in Tuesday's security update, as expected, was a plug for another zero-day ActiveX control bug, announced Monday. Microsoft, though, has recommended a workaround for it, and Schultze said he expects users will see a patch next month.